logstash-filter-dissect 1.0.8 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8ab8fdb5cc4c1f091bb5e2b439497b40fd1bfef2
-  data.tar.gz: 59eced571c856df8dd9fb4b22a8e4d0922b47d69
+  metadata.gz: 214e5686732a713c4f413999fe85595782d0746c
+  data.tar.gz: 528f4a1d7afa2d6ea0bb7d8c55d49ce3342af913
 SHA512:
-  metadata.gz: d48240a786ab7f95ec12bbd1ab31e700cc101d17793f597263d28b01318f44cabce4d71428f8333a996152dce91dfa38683b9e7cb8c872dcb1a59c8dfeaf4cfe
-  data.tar.gz: 69df41b6eff092e685b921fb0c98b10a3b63cc2ce45b0a2e0dbcd4325e0f211178326fe0c31a680339011e0431bc53ead783313fd3162f834f806b0c9b00aae6
+  metadata.gz: 57f4154b1bc1e3eb59622d33d9e08a706f2a603957b5910bde47bf8bbab23c0271890957ba302abec26b7b633a3ce60081144a0d1026072bbff59275ca1f7089
+  data.tar.gz: 87662b417269eb478b762f6376db447f329af697c1b7df129ee068426e1530accf331ab30d4e7023f3b69fef55a0d2e9a9f500b5aa45aed86ecd0dce320c7dce

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.9
+ - Docs: Fix doc generation error by removing illegal heading
+ - Add metrics to track the number of matches and failures
+
 ## 1.0.8
  - Add "vendor/jars" to require_paths in gemspec
  

data/Gemfile

@@ -1,3 +1,11 @@
 source 'https://rubygems.org'
+
 gemspec
 
+logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
+use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
+
+if Dir.exist?(logstash_path) && use_logstash_source
+  gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
+  gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
+end

data/README.md

@@ -1,3 +1,31 @@
+## Description
+
+Dissect filter is an alternative to Grok filter and can be used to extract structured fields from an unstructured line.
+However, if the structure of your text varies from line to line then Grok is more suitable. There is a hybrid case where Dissect can be used to de-structure the section of the line that is reliably repeated and then Grok can be used on the remaining field values with  more regex predictability and less overall work to do.
+
+A set of fields and delimiters is called a *dissection*.
+
+The dissection is described using a set of `%{}` sections:
+....
+%{a} - %{b} - %{c}
+....
+
+A *field* is the text from `%` to `}` inclusive.
+
+A *delimiter* is the text between `}` and `%` characters. Delimiters can't contain these `}{%` characters.
+
+The config might look like this:
+
+```
+ filter {
+   dissect {
+     mapping => {
+       "message" => "%{ts} %{+ts} %{+ts} %{src} %{} %{prog}[%{pid}]: %{msg}"
+     }
+   }
+ }
+```
+
 ### NOTE
 Please read BUILD_INSTRUCTIONS.md
 
@@ -98,4 +126,4 @@ Programming is not a required skill. Whatever you've seen about open source and
 
 It is more important to the community that you are able to contribute.
 
-For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/VERSION

@@ -1 +1 @@
-1.0.8
+1.0.9

data/docs/index.asciidoc

@@ -0,0 +1,213 @@
+:plugin: dissect
+:type: filter
+
+///////////////////////////////////////////
+START - GENERATED VARIABLES, DO NOT EDIT!
+///////////////////////////////////////////
+:version: %VERSION%
+:release_date: %RELEASE_DATE%
+:changelog_url: %CHANGELOG_URL%
+:include_path: ../../../../logstash/docs/include
+///////////////////////////////////////////
+END - GENERATED VARIABLES, DO NOT EDIT!
+///////////////////////////////////////////
+
+[id="plugins-{type}-{plugin}"]
+
+=== Dissect filter plugin
+
+include::{include_path}/plugin_header.asciidoc[]
+
+==== Description
+
+The Dissect filter is a kind of split operation. Unlike a regular split operation where one delimiter is applied to the whole string, this operation applies a set of delimiters # to a string value. +
+Dissect does not use regular expressions and is very fast. +
+However, if the structure of your text varies from line to line then Grok is more suitable. +
+There is a hybrid case where Dissect can be used to de-structure the section of the line that is reliably repeated and then Grok can be used on the remaining field values with # more regex predictability and less overall work to do. +
+
+A set of fields and delimiters is called a *dissection*.
+
+The dissection is described using a set of `%{}` sections:
+....
+%{a} - %{b} - %{c}
+....
+
+A *field* is the text from `%` to `}` inclusive.
+
+A *delimiter* is the text between `}` and `%` characters.
+
+[NOTE]
+delimiters can't contain these `}{%` characters.
+
+The config might look like this:
+....
+  filter {
+    dissect {
+      mapping => {
+        "message" => "%{ts} %{+ts} %{+ts} %{src} %{} %{prog}[%{pid}]: %{msg}"
+      }
+    }
+  }
+....
+When dissecting a string from left to right, text is captured upto the first delimiter - this captured text is stored in the first field. This is repeated for each field/# delimiter pair thereafter until the last delimiter is reached, then *the remaining text is stored in the last field*. +
+
+*The Key:* +
+The key is the text between the `%{` and `}`, exclusive of the ?, +, & prefixes and the ordinal suffix. +
+`%{?aaa}` - key is `aaa` +
+`%{+bbb/3}` - key is `bbb` +
+`%{&ccc}` - key is `ccc` +
+
+*Normal field notation:* +
+The found value is added to the Event using the key. +
+`%{some_field}` - a normal field has no prefix or suffix
+
+*Skip field notation:* +
+The found value is stored internally but not added to the Event. +
+The key, if supplied, is prefixed with a `?`.
+
+`%{}` is an empty skip field.
+
+`%{?foo}` is a named skip field.
+
+*Append field notation:* +
+The value is appended to another value or stored if its the first field seen. +
+The key is prefixed with a `+`. +
+The final value is stored in the Event using the key. +
+
+[NOTE]
+====
+The delimiter found before the field is appended with the value. +
+If no delimiter is found before the field, a single space character is used.
+====
+
+`%{+some_field}` is an append field. +
+`%{+some_field/2}` is an append field with an order modifier.
+
+An order modifier, `/digits`, allows one to reorder the append sequence. +
+e.g. for a text of `1 2 3 go`, this `%{+a/2} %{+a/1} %{+a/4} %{+a/3}` will build a key/value of `a => 2 1 go 3` +
+Append fields without an order modifier will append in declared order. +
+e.g. for a text of `1 2 3 go`, this `%{a} %{b} %{+a}` will build two key/values of `a => 1 3 go, b => 2` +
+
+*Indirect field notation:* +
+The found value is added to the Event using the found value of another field as the key. +
+The key is prefixed with a `&`. +
+`%{&some_field}` - an indirect field where the key is indirectly sourced from the value of `some_field`. +
+e.g. for a text of `error: some_error, some_description`, this `error: %{?err}, %{&err}` will build a key/value of `some_error => some_description`.
+
+[NOTE]
+for append and indirect field the key can refer to a field that already exists in the event before dissection.
+
+[NOTE]
+use a Skip field if you do not want the indirection key/value stored.
+
+e.g. for a text of `google: 77.98`, this `%{?a}: %{&a}` will build a key/value of `google => 77.98`.
+
+[NOTE]
+===============================
+append and indirect cannot be combined and will fail validation. +
+`%{+&something}` - will add a value to the `&something` key, probably not the intended outcome. +
+`%{&+something}` will add a value to the `+something` key, again probably unintended. +
+===============================
+
+*Delimiter repetition:* +
+In the source text if a field has variable width padded with delimiters, the padding will be ignored. +
+e.g. for texts of:
+....
+00000043 ViewReceiver  I
+000000b3 Peer          I
+....
+with a dissection of `%{a} %{b} %{c}`; the padding is ignored, `event.get([c]) -> "I"`
+
+[NOTE]
+====
+You probably want to use this filter inside an `if` block. +
+This ensures that the event contains a field value with a suitable structure for the dissection.
+====
+
+For example...
+....
+filter {
+  if [type] == "syslog" or "syslog" in [tags] {
+    dissect {
+      mapping => {
+        "message" => "%{ts} %{+ts} %{+ts} %{src} %{} %{prog}[%{pid}]: %{msg}"
+      }
+    }
+  }
+}
+....
+
+[id="plugins-{type}s-{plugin}-options"]
+==== Dissect Filter Configuration Options
+
+This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
+
+[cols="<,<,<",options="header",]
+|=======================================================================
+|Setting |Input type|Required
+| <<plugins-{type}s-{plugin}-convert_datatype>> |<<hash,hash>>|No
+| <<plugins-{type}s-{plugin}-mapping>> |<<hash,hash>>|No
+| <<plugins-{type}s-{plugin}-tag_on_failure>> |<<array,array>>|No
+|=======================================================================
+
+Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
+filter plugins.
+
+&nbsp;
+
+[id="plugins-{type}s-{plugin}-convert_datatype"]
+===== `convert_datatype` 
+
+  * Value type is <<hash,hash>>
+  * Default value is `{}`
+
+With this setting `int` and `float` datatype conversions can be specified. +
+These will be done after all `mapping` dissections have taken place. +
+Feel free to use this setting on its own without a `mapping` section. +
+
+For example
+[source, ruby]
+filter {
+  dissect {
+    convert_datatype => {
+      cpu => "float"
+      code => "int"
+    }
+  }
+}
+
+[id="plugins-{type}s-{plugin}-mapping"]
+===== `mapping` 
+
+  * Value type is <<hash,hash>>
+  * Default value is `{}`
+
+A hash of dissections of `field => value` +
+A later dissection can be done on values from a previous dissection or they can be independent.
+
+For example
+[source, ruby]
+filter {
+  dissect {
+    mapping => {
+      "message" => "%{field1} %{field2} %{description}"
+      "description" => "%{field3} %{field4} %{field5}"
+    }
+  }
+}
+
+This is useful if you want to keep the field `description` but also
+dissect it some more.
+
+[id="plugins-{type}s-{plugin}-tag_on_failure"]
+===== `tag_on_failure` 
+
+  * Value type is <<array,array>>
+  * Default value is `["_dissectfailure"]`
+
+Append values to the `tags` field when dissection fails
+
+
+
+[id="plugins-{type}s-{plugin}-common-options"]
+include::{include_path}/{type}.asciidoc[]

data/lib/jruby-dissect-library_jars.rb

@@ -1,4 +1,4 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
 
 require 'jar_dependencies'
-require_jar('org.logstash.dissect', 'jruby-dissect-library', '1.0.8')
+require_jar('org.logstash.dissect', 'jruby-dissect-library', '1.0.9')

data/lib/logstash/filters/dissect.rb

@@ -6,8 +6,6 @@ require "java"
 require "jruby-dissect-library_jars"
 require "jruby_dissector"
 
-# ==== *Dissect or how to de-structure text*
-#
 # The Dissect filter is a kind of split operation. Unlike a regular split operation where one delimiter is applied to the whole string, this operation applies a set of delimiters # to a string value. +
 # Dissect does not use regular expressions and is very fast. +
 # However, if the structure of your text varies from line to line then Grok is more suitable. +
@@ -80,7 +78,7 @@ require "jruby_dissector"
 # The found value is added to the Event using the found value of another field as the key. +
 # The key is prefixed with a `&`. +
 # `%{&some_field}` - an indirect field where the key is indirectly sourced from the value of `some_field`. +
-# e.g. for a text of `error: some_error, some_description`, this `error: %{?err}, %{&err}` will build a key/value of `some_error => description`.
+# e.g. for a text of `error: some_error, some_description`, this `error: %{?err}, %{&err}` will build a key/value of `some_error => some_description`.
 #
 # [NOTE]
 # for append and indirect field the key can refer to a field that already exists in the event before dissection.
@@ -184,4 +182,8 @@ module LogStash module Filters class Dissect < LogStash::Filters::Base
     @dissector.dissect_multi(events, self)
     events
   end
+
+  def metric_increment(metric_name)
+    metric.increment(metric_name)
+  end
 end end end

data/logstash-filter-dissect.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib", "vendor/jars"]
 
   # Files
-  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','VERSION','LICENSE','NOTICE.TXT']
+  s.files = Dir["lib/**/*","spec/**/*","*.gemspec","*.md","CONTRIBUTORS","Gemfile","LICENSE","NOTICE.TXT", "vendor/jar-dependencies/**/*.jar", "vendor/jar-dependencies/**/*.rb", "VERSION", "docs/**/*"]
    # Tests
   s.test_files = s.files.grep(%r{^(test|spec|features)/})
 

data/spec/filters/dissect_spec.rb

@@ -222,4 +222,56 @@ describe LogStash::Filters::Dissect do
       end
     end
   end
+
+  describe "metrics tracking" do
+
+    let(:options) { { "mapping" => { "message" => "%{a} %{b}" } } }
+    subject { described_class.new(options) }
+
+    before(:each) { subject.register }
+
+    context "when match is successful" do
+      let(:event) { LogStash::Event.new("message" => "1 2") }
+
+      it "should increment the matches metric" do
+        expect(subject).to receive(:metric_increment).once.with(:matches)
+        subject.filter(event)
+      end
+    end
+
+    context "when match is not successful" do
+      let(:event) { LogStash::Event.new("message" => "") }
+
+      it "should increment the failures metric" do
+        expect(subject).to receive(:metric_increment).once.with(:failures)
+        subject.filter(event)
+      end
+    end
+  end
+
+  describe "Basic dissection" do
+
+    let(:options) { { "mapping" => { "message" => "%{a} %{b}" } } }
+    subject { described_class.new(options) }
+    let(:event) { LogStash::Event.new(event_data) }
+
+    before(:each) do
+      subject.register
+      subject.filter(event)
+    end
+
+    context "when no field" do
+      let(:event_data) { {} }
+      it "should not add tags to the event" do
+        expect(event.get("tags")).to be_nil
+      end
+    end
+
+    context "when field is empty" do
+      let(:event_data) { { "message" => "" } }
+      it "should add tags to the event" do
+        expect(event.get("tags")).to include("_dissectfailure")
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-dissect
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.0.9
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-10-22 00:00:00.000000000 Z
+date: 2017-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -87,12 +87,12 @@ files:
 - NOTICE.TXT
 - README.md
 - VERSION
+- docs/index.asciidoc
 - lib/jruby-dissect-library_jars.rb
 - lib/logstash/filters/dissect.rb
 - logstash-filter-dissect.gemspec
 - spec/filters/dissect_spec.rb
 - spec/spec_helper.rb
-- vendor/jars/org/logstash/dissect/jruby-dissect-library/1.0.8/jruby-dissect-library-1.0.8.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
@@ -116,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.6
+rubygems_version: 2.4.8
 signing_key:
 specification_version: 4
 summary: This dissect filter will de-structure text into multiple fields.