logstash-filter-elasticsearch 2.0.4 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a45e372b9a69c832048cf4c3ce538d1c71e4e8ac
-  data.tar.gz: a91ec84ccc0b978d4c0d4d3a7f7486d5e1c2ce2e
+  metadata.gz: cfc8b5e9cf33d9d7ef26f24fa0692a8e64119c17
+  data.tar.gz: 84e9261001fa6a28fd111391fcb23b36c41ce834
 SHA512:
-  metadata.gz: 1dc53b2ac23c20d84311bb4164b2933a86625d089eb0f3e38805628d2ff805b0ced72e8423cc79ceb0907d27c61d4ed1ca9647345ec835ce055697ca9d636695
-  data.tar.gz: aa1267575f30dafa1f3cfc4692ab57c7fc44b2cf175424773a093a926938dda62b8e4cb1ee9d9ea8a62ac2b7f22e7fbb03c06d981f530aaedc31148a84565739
+  metadata.gz: 853a1678509361a7eedd80a0fc8264ac7184b0aaf6358cf0373ee0a9783af96620bf873cd12a5d08ba0c9bb5f8966883d68f36fc0c228e64a01b82ed8292134f
+  data.tar.gz: bf37c8e634112d4d5b8cb86cd018cd200e6f91fa11bffabc0fec9e5f38f6dd00eb0404ae4d8fe99fc79ee68df47b5f912a91f4d594b2c54e54169ec9564eb260

data/CHANGELOG.md

@@ -1,12 +1,18 @@
-# 2.0.4
+## 2.1.0
+  - Improved the configuration options to be more easy to understand and
+    match what the expectations are from the documentation.
+  - Initial refactoring to include later one a common client for all the
+    ES plugins.
+  - Adding support for having an index in the query pattern.
+  - Improved documentation.
+  - Added intitial integration and unit tests.
+## 2.0.4
   - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
-# 2.0.3
+## 2.0.3
   - New dependency requirements for logstash-core for the 5.0 release
 ## 2.0.0
  - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, 
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
  - Dependency on logstash-core update to 2.0
-
 ## 0.1.6
-
 - removed require statement for a file that is no longer present in logstash-core.

data/Gemfile

@@ -1,2 +1,3 @@
 source 'https://rubygems.org'
-gemspec
+gemspec
+gem "pry", :group => :development

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2012–2015 Elasticsearch <http://www.elastic.co>
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

data/README.md

@@ -1,7 +1,6 @@
 # Logstash Plugin
 
-[![Build
-Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-elasticsearch-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-elasticsearch-unit/)
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-filter-elasticsearch.svg)](https://travis-ci.org/logstash-plugins/logstash-filter-elasticsearch)
 
 This is a plugin for [Logstash](https://github.com/elastic/logstash).
 
@@ -56,7 +55,12 @@ gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
 ```
 - Install plugin
 ```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
 bin/plugin install --no-verify
+
 ```
 - Run Logstash with your plugin
 ```sh
@@ -74,7 +78,12 @@ gem build logstash-filter-awesome.gemspec
 ```
 - Install the plugin from the Logstash home
 ```sh
-bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
+
 ```
 - Start Logstash and proceed to test the plugin
 

data/lib/logstash/filters/elasticsearch.rb

@@ -1,6 +1,7 @@
+# encoding: utf-8
 require "logstash/filters/base"
 require "logstash/namespace"
-require "base64"
+require_relative "elasticsearch/client"
 
 
 # Search elasticsearch for a previous log event and copy some fields from it
@@ -15,7 +16,7 @@ require "base64"
 #          elasticsearch {
 #             hosts => ["es-server"]
 #             query => "type:start AND operation:%{[opid]}"
-#             fields => ["@timestamp", "started"]
+#             fields => [["@timestamp", "started"]]
 #          }
 #
 #          date {
@@ -32,9 +33,13 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
   config_name "elasticsearch"
 
   # List of elasticsearch hosts to use for querying.
-  config :hosts, :validate => :array
+  config :hosts, :validate => :array,  :default => [ "localhost:9200" ]
+  
+  # Comma-delimited list of index names to search; use `_all` or empty string to perform the operation on all indices
+  config :index, :validate => :string, :default => ""
 
-  # Elasticsearch query string
+  # Elasticsearch query string. Read the Elasticsearch query string documentation
+  # for more info at: https://www.elastic.co/guide/en/elasticsearch/reference/master/query-dsl-query-string-query.html#query-string-syntax
   config :query, :validate => :string
 
   # Comma-delimited list of `<field>:<direction>` pairs that define the sort order
@@ -55,49 +60,46 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
   # SSL Certificate Authority file
   config :ca_file, :validate => :path
 
+  # Whether results should be sorted or not
+  config :enable_sort, :validate => :boolean, :default => true
 
-  public
-  def register
-    require "elasticsearch"
-
-    transport_options = {}
-
-    if @user && @password
-      token = Base64.strict_encode64("#{@user}:#{@password.value}")
-      transport_options[:headers] = { Authorization: "Basic #{token}" }
-    end
-
-    hosts = if @ssl then
-      @hosts.map {|h| { host: h, scheme: 'https' } }
-    else
-      @hosts
-    end
+  # How many results to return
+  config :result_size, :validate => :number, :default => 1
 
-    if @ssl && @ca_file
-      transport_options[:ssl] = { ca_file: @ca_file }
-    end
+  # Tags the event on failure to look up geo information. This can be used in later analysis.
+  config :tag_on_failure, :validate => :array, :default => ["_elasticsearch_lookup_failure"]
 
-    @logger.info("New ElasticSearch filter", :hosts => hosts)
-    @client = Elasticsearch::Client.new hosts: hosts, transport_options: transport_options
+  def register
+    options = {
+      :ssl => @ssl,
+      :hosts => @hosts,
+      :ca_file => @ca_file,
+      :logger => @logger,
+      :index => @index
+    }
+    @client = LogStash::Filters::ElasticsearchClient.new(@user, @password, options)
   end # def register
 
-  public
   def filter(event)
-    
-
     begin
       query_str = event.sprintf(@query)
-
-      results = @client.search q: query_str, sort: @sort, size: 1
-
-      @fields.each do |old, new|
-        event[new] = results['hits']['hits'][0]['_source'][old]
+      params = { :q => query_str, :size => result_size }
+      params[:sort] =  @sort if @enable_sort
+      results = @client.search(params)
+
+      @fields.each do |old_key, new_key|
+        if !results['hits']['hits'].empty?
+          set = []
+          results["hits"]["hits"].to_a.each do |doc|
+            set << doc["_source"][old_key]
+          end
+          event[new_key] = ( set.count > 1 ? set : set.first)
+        end
       end
-
-      filter_matched(event)
     rescue => e
-      @logger.warn("Failed to query elasticsearch for previous event",
-                   :query => query_str, :event => event, :error => e)
+      @logger.warn("Failed to query elasticsearch for previous event", :index, @index, :query => query_str, :event => event, :error => e)
+      @tag_on_failure.each{|tag| event.tag(tag)}
     end
+    filter_matched(event)
   end # def filter
 end # class LogStash::Filters::Elasticsearch

data/lib/logstash/filters/elasticsearch/client.rb

@@ -0,0 +1,35 @@
+# encoding: utf-8
+require "elasticsearch"
+require "base64"
+
+module LogStash
+  module Filters
+    class ElasticsearchClient
+
+      attr_reader :client
+
+      def initialize(user, password, options={})
+        ssl     = options.fetch(:ssh, false)
+        hosts   = options[:hosts]
+        @logger = options[:logger]
+
+        transport_options = {}
+        if user && password
+          token = ::Base64.strict_encode64("#{user}:#{password.value}")
+          transport_options[:headers] = { Authorization: "Basic #{token}" }
+        end
+
+        host.map! {|h| { host: h, scheme: 'https' } } if ssl
+        transport_options[:ssl] = { ca_file: options[:ca_file] } if ssl && options[:ca_file]
+
+        @logger.info("New ElasticSearch filter", :hosts => hosts)
+        @client = ::Elasticsearch::Client.new(index: options[:index], hosts: hosts, transport_options: transport_options)
+      end
+
+      def search(params)
+        @client.search(params)
+      end
+
+    end
+  end
+end

data/logstash-filter-elasticsearch.gemspec

@@ -1,10 +1,10 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-filter-elasticsearch'
-  s.version         = '2.0.4'
+  s.version         = '2.1.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Search elasticsearch for a previous log event and copy some fields from it into the current event"
-  s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
   s.authors         = ["Elastic"]
   s.email           = 'info@elastic.co'
   s.homepage        = "http://www.elastic.co/guide/en/logstash/current/index.html"

data/spec/filters/elasticsearch_spec.rb

@@ -1,8 +1,8 @@
 # encoding: utf-8
-
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/plugin"
 require "logstash/filters/elasticsearch"
+require "logstash/json"
 
 describe LogStash::Filters::Elasticsearch do
 
@@ -15,4 +15,69 @@ describe LogStash::Filters::Elasticsearch do
     end
   end
 
+  describe "data fetch" do
+    let(:config) do
+      {
+        "hosts" => ["localhost:9200"],
+        "query" => "response: 404",
+        "fields" => [ ["response", "code"] ],
+      }
+    end
+    let(:plugin) { described_class.new(config) }
+    let(:event)  { LogStash::Event.new({}) }
+
+    let(:response) do
+      LogStash::Json.load(File.read(File.join(File.dirname(__FILE__), "fixtures", "request_x_1.json")))
+    end
+
+    let(:client) { double(:client) }
+
+    before(:each) do
+      allow(LogStash::Filters::ElasticsearchClient).to receive(:new).and_return(client)
+      allow(client).to receive(:search).and_return(response)
+      plugin.register
+    end
+
+    it "should enhance the current event with new data" do
+      plugin.filter(event)
+      expect(event["code"]).to eq(404)
+    end
+
+    context "when asking for more than one result" do
+
+      let(:config) do
+        {
+          "hosts" => ["localhost:9200"],
+          "query" => "response: 404",
+          "fields" => [ ["response", "code"] ],
+          "result_size" => 10
+        }
+      end
+
+      let(:response) do
+        LogStash::Json.load(File.read(File.join(File.dirname(__FILE__), "fixtures", "request_x_10.json")))
+      end
+
+      it "should enhance the current event with new data" do
+        plugin.filter(event)
+        expect(event["code"]).to eq([404]*10)
+      end
+    end
+
+    context "if something wrong happen during connection" do
+
+      before(:each) do
+        allow(LogStash::Filters::ElasticsearchClient).to receive(:new).and_return(client)
+        allow(client).to receive(:search).and_raise("connection exception")
+        plugin.register
+      end
+
+      it "tag the event as something happened, but still deliver it" do
+        expect(plugin.logger).to receive(:warn)
+        plugin.filter(event)
+        expect(event.to_hash["tags"]).to include("_elasticsearch_lookup_failure")
+      end
+    end
+  end
+
 end

data/spec/filters/fixtures/request_x_1.json

@@ -0,0 +1,62 @@
+{
+	"took": 49,
+	"timed_out": false,
+	"_shards": {
+		"total": 155,
+		"successful": 155,
+		"failed": 0
+	},
+	"hits": {
+		"total": 13476,
+		"max_score": 1,
+		"hits": [{
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY76L_AW7v0kX8KXo4",
+			"_score": 1,
+			"_source": {
+				"request": "/doc/index.html?org/elasticsearch/action/search/SearchResponse.html",
+				"agent": "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "66.249.73.185",
+					"latitude": 37.386,
+					"continent_code": "NA",
+					"city_name": "Mountain View",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 807,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-122.0838,
+						37.386
+					],
+					"postal_code": "94035",
+					"longitude": -122.0838,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"major": "2",
+					"minor": "1",
+					"name": "Googlebot",
+					"os_name": "Other",
+					"device": "Spider"
+				},
+				"message": "66.249.73.185 - - [26/Aug/2014:21:22:13 +0000] \"GET /doc/index.html?org/elasticsearch/action/search/SearchResponse.html HTTP/1.1\" 404 294 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-26T21:22:13.000Z",
+				"response": 404,
+				"bytes": 294,
+				"clientip": "66.249.73.185",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:21:22:13 +0000"
+			}
+    }]
+	}
+}

data/spec/filters/fixtures/request_x_10.json

@@ -0,0 +1,500 @@
+{
+	"took": 49,
+	"timed_out": false,
+	"_shards": {
+		"total": 155,
+		"successful": 155,
+		"failed": 0
+	},
+	"hits": {
+		"total": 13476,
+		"max_score": 1,
+		"hits": [{
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY76L_AW7v0kX8KXo4",
+			"_score": 1,
+			"_source": {
+				"request": "/doc/index.html?org/elasticsearch/action/search/SearchResponse.html",
+				"agent": "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "66.249.73.185",
+					"latitude": 37.386,
+					"continent_code": "NA",
+					"city_name": "Mountain View",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 807,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-122.0838,
+						37.386
+					],
+					"postal_code": "94035",
+					"longitude": -122.0838,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"major": "2",
+					"minor": "1",
+					"name": "Googlebot",
+					"os_name": "Other",
+					"device": "Spider"
+				},
+				"message": "66.249.73.185 - - [26/Aug/2014:21:22:13 +0000] \"GET /doc/index.html?org/elasticsearch/action/search/SearchResponse.html HTTP/1.1\" 404 294 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-26T21:22:13.000Z",
+				"response": 404,
+				"bytes": 294,
+				"clientip": "66.249.73.185",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:21:22:13 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY76eJAW7v0kX8KXtH",
+			"_score": 1,
+			"_source": {
+				"request": "/presentations/logstash-puppetconf-2012/images/office-space-printer-beat-down-gif.gif",
+				"agent": "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1\"",
+				"geoip": {
+					"timezone": "Asia/Shanghai",
+					"ip": "111.199.235.239",
+					"latitude": 39.9289,
+					"continent_code": "AS",
+					"city_name": "Beijing",
+					"country_code2": "CN",
+					"country_name": "China",
+					"dma_code": null,
+					"country_code3": "CN",
+					"region_name": "Beijing",
+					"location": [
+						116.3883,
+						39.9289
+					],
+					"postal_code": null,
+					"longitude": 116.3883,
+					"region_code": "11"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"patch": "5",
+					"os": "Mac OS X 10.8.5",
+					"major": "6",
+					"minor": "0",
+					"os_minor": "8",
+					"os_major": "10",
+					"name": "Safari",
+					"os_name": "Mac OS X",
+					"device": "Other"
+				},
+				"message": "111.199.235.239 - - [26/Aug/2014:22:06:06 +0000] \"GET /presentations/logstash-puppetconf-2012/images/office-space-printer-beat-down-gif.gif HTTP/1.1\" 404 364 \"http://semicomplete.com/presentations/logstash-puppetconf-2012/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1\"",
+				"referrer": "\"http://semicomplete.com/presentations/logstash-puppetconf-2012/\"",
+				"@timestamp": "2014-08-26T22:06:06.000Z",
+				"response": 404,
+				"bytes": 364,
+				"clientip": "111.199.235.239",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:22:06:06 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY76eJAW7v0kX8KXtf",
+			"_score": 1,
+			"_source": {
+				"request": "/files/logstash/logstash-1.3.2-monolithic.jar",
+				"agent": "\"Chef Client/10.18.2 (ruby-1.9.3-p327; ohai-6.16.0; x86_64-linux; +http://opscode.com)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "208.91.156.11",
+					"latitude": 34.0486,
+					"continent_code": "NA",
+					"city_name": "Los Angeles",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 803,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-118.4424,
+						34.0486
+					],
+					"postal_code": "90025",
+					"longitude": -118.4424,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"name": "Other",
+					"os_name": "Other",
+					"device": "Other"
+				},
+				"message": "208.91.156.11 - - [26/Aug/2014:22:12:14 +0000] \"GET /files/logstash/logstash-1.3.2-monolithic.jar HTTP/1.1\" 404 324 \"-\" \"Chef Client/10.18.2 (ruby-1.9.3-p327; ohai-6.16.0; x86_64-linux; +http://opscode.com)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-26T22:12:14.000Z",
+				"response": 404,
+				"bytes": 324,
+				"clientip": "208.91.156.11",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:22:12:14 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY761xAW7v0kX8KXvw",
+			"_score": 1,
+			"_source": {
+				"request": "/files/logstash/logstash-1.3.2-monolithic.jar",
+				"agent": "\"Chef Client/10.18.2 (ruby-1.9.3-p327; ohai-6.16.0; x86_64-linux; +http://opscode.com)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "208.91.156.11",
+					"latitude": 34.0486,
+					"continent_code": "NA",
+					"city_name": "Los Angeles",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 803,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-118.4424,
+						34.0486
+					],
+					"postal_code": "90025",
+					"longitude": -118.4424,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"name": "Other",
+					"os_name": "Other",
+					"device": "Other"
+				},
+				"message": "208.91.156.11 - - [26/Aug/2014:22:42:22 +0000] \"GET /files/logstash/logstash-1.3.2-monolithic.jar HTTP/1.1\" 404 324 \"-\" \"Chef Client/10.18.2 (ruby-1.9.3-p327; ohai-6.16.0; x86_64-linux; +http://opscode.com)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-26T22:42:22.000Z",
+				"response": 404,
+				"bytes": 324,
+				"clientip": "208.91.156.11",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:22:42:22 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY77AwAW7v0kX8KXx8",
+			"_score": 1,
+			"_source": {
+				"request": "/wp-login.php",
+				"agent": "\"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/24.0.1290.1 Safari/537.13\"",
+				"geoip": {
+					"timezone": "Europe/Rome",
+					"ip": "195.250.34.144",
+					"latitude": 43.4995,
+					"continent_code": "EU",
+					"city_name": "Arezzo",
+					"country_code2": "IT",
+					"country_name": "Italy",
+					"dma_code": null,
+					"country_code3": "IT",
+					"region_name": "Province of Arezzo",
+					"location": [
+						11.9109,
+						43.4995
+					],
+					"postal_code": "52100",
+					"longitude": 11.9109,
+					"region_code": "AR"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"patch": "1290",
+					"os": "Windows 7",
+					"major": "24",
+					"minor": "0",
+					"name": "Chrome",
+					"os_name": "Windows 7",
+					"device": "Other"
+				},
+				"message": "195.250.34.144 - - [26/Aug/2014:23:40:50 +0000] \"GET /wp-login.php HTTP/1.1\" 404 292 \"-\" \"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/24.0.1290.1 Safari/537.13\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-26T23:40:50.000Z",
+				"response": 404,
+				"bytes": 292,
+				"clientip": "195.250.34.144",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:23:40:50 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY77AwAW7v0kX8KXyB",
+			"_score": 1,
+			"_source": {
+				"request": "/presentations/logstash-puppetconf-2012/images/office-space-printer-beat-down-gif.gif",
+				"agent": "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/6.1.1 Safari/537.73.11\"",
+				"geoip": {
+					"timezone": "Asia/Kolkata",
+					"ip": "122.166.142.108",
+					"latitude": 12.9833,
+					"continent_code": "AS",
+					"city_name": "Bengaluru",
+					"country_code2": "IN",
+					"country_name": "India",
+					"dma_code": null,
+					"country_code3": "IN",
+					"region_name": "Karnataka",
+					"location": [
+						77.5833,
+						12.9833
+					],
+					"postal_code": null,
+					"longitude": 77.5833,
+					"region_code": "KA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"patch": "1",
+					"os": "Mac OS X 10.8.5",
+					"major": "6",
+					"minor": "1",
+					"os_minor": "8",
+					"os_major": "10",
+					"name": "Safari",
+					"os_name": "Mac OS X",
+					"device": "Other"
+				},
+				"message": "122.166.142.108 - - [26/Aug/2014:23:41:19 +0000] \"GET /presentations/logstash-puppetconf-2012/images/office-space-printer-beat-down-gif.gif HTTP/1.1\" 404 364 \"http://semicomplete.com/presentations/logstash-puppetconf-2012/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/6.1.1 Safari/537.73.11\"",
+				"referrer": "\"http://semicomplete.com/presentations/logstash-puppetconf-2012/\"",
+				"@timestamp": "2014-08-26T23:41:19.000Z",
+				"response": 404,
+				"bytes": 364,
+				"clientip": "122.166.142.108",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:23:41:19 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.26",
+			"_type": "logs",
+			"_id": "AVVY77NUAW7v0kX8KX0s",
+			"_score": 1,
+			"_source": {
+				"request": "/projects/xdotool%3E",
+				"agent": "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "66.249.73.135",
+					"latitude": 37.386,
+					"continent_code": "NA",
+					"city_name": "Mountain View",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 807,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-122.0838,
+						37.386
+					],
+					"postal_code": "94035",
+					"longitude": -122.0838,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"major": "2",
+					"minor": "1",
+					"name": "Googlebot",
+					"os_name": "Other",
+					"device": "Spider"
+				},
+				"message": "66.249.73.135 - - [26/Aug/2014:23:25:32 +0000] \"GET /projects/xdotool%3E HTTP/1.1\" 404 7861 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-26T23:25:32.000Z",
+				"response": 404,
+				"bytes": 7861,
+				"clientip": "66.249.73.135",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "26/Aug/2014:23:25:32 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.27",
+			"_type": "logs",
+			"_id": "AVVY77vzAW7v0kX8KX5_",
+			"_score": 1,
+			"_source": {
+				"request": "/wp-login.php?action=register",
+				"agent": "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:21.0) Gecko/20100101 Firefox/21.0\"",
+				"geoip": {
+					"timezone": "America/Chicago",
+					"ip": "198.143.145.210",
+					"latitude": 41.8825,
+					"continent_code": "NA",
+					"city_name": "Chicago",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 602,
+					"country_code3": "US",
+					"region_name": "Illinois",
+					"location": [-87.6441,
+						41.8825
+					],
+					"postal_code": "60661",
+					"longitude": -87.6441,
+					"region_code": "IL"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Mac OS X 10.7",
+					"major": "21",
+					"minor": "0",
+					"os_minor": "7",
+					"os_major": "10",
+					"name": "Firefox",
+					"os_name": "Mac OS X",
+					"device": "Other"
+				},
+				"message": "198.143.145.210 - - [27/Aug/2014:01:30:10 +0000] \"GET /wp-login.php?action=register HTTP/1.0\" 404 296 \"http://www.semicomplete.com/misc/sample.log\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:21.0) Gecko/20100101 Firefox/21.0\"",
+				"referrer": "\"http://www.semicomplete.com/misc/sample.log\"",
+				"@timestamp": "2014-08-27T01:30:10.000Z",
+				"response": 404,
+				"bytes": 296,
+				"clientip": "198.143.145.210",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.0",
+				"timestamp": "27/Aug/2014:01:30:10 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.27",
+			"_type": "logs",
+			"_id": "AVVY77vzAW7v0kX8KX6w",
+			"_score": 1,
+			"_source": {
+				"request": "/projects/securitrack/config.xsl",
+				"agent": "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "66.249.73.135",
+					"latitude": 37.386,
+					"continent_code": "NA",
+					"city_name": "Mountain View",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 807,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-122.0838,
+						37.386
+					],
+					"postal_code": "94035",
+					"longitude": -122.0838,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"major": "2",
+					"minor": "1",
+					"name": "Googlebot",
+					"os_name": "Other",
+					"device": "Spider"
+				},
+				"message": "66.249.73.135 - - [27/Aug/2014:01:40:51 +0000] \"GET /projects/securitrack/config.xsl HTTP/1.1\" 404 315 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-27T01:40:51.000Z",
+				"response": 404,
+				"bytes": 315,
+				"clientip": "66.249.73.135",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "27/Aug/2014:01:40:51 +0000"
+			}
+		}, {
+			"_index": "logstash-2014.08.27",
+			"_type": "logs",
+			"_id": "AVVY78FiAW7v0kX8KYBM",
+			"_score": 1,
+			"_source": {
+				"request": "/files/logstash/logstash-1.3.2-monolithic.jar",
+				"agent": "\"Chef Client/10.18.2 (ruby-1.9.3-p327; ohai-6.16.0; x86_64-linux; +http://opscode.com)\"",
+				"geoip": {
+					"timezone": "America/Los_Angeles",
+					"ip": "208.91.156.11",
+					"latitude": 34.0486,
+					"continent_code": "NA",
+					"city_name": "Los Angeles",
+					"country_code2": "US",
+					"country_name": "United States",
+					"dma_code": 803,
+					"country_code3": "US",
+					"region_name": "California",
+					"location": [-118.4424,
+						34.0486
+					],
+					"postal_code": "90025",
+					"longitude": -118.4424,
+					"region_code": "CA"
+				},
+				"auth": "-",
+				"ident": "-",
+				"verb": "GET",
+				"useragent": {
+					"os": "Other",
+					"name": "Other",
+					"os_name": "Other",
+					"device": "Other"
+				},
+				"message": "208.91.156.11 - - [27/Aug/2014:02:44:04 +0000] \"GET /files/logstash/logstash-1.3.2-monolithic.jar HTTP/1.1\" 404 324 \"-\" \"Chef Client/10.18.2 (ruby-1.9.3-p327; ohai-6.16.0; x86_64-linux; +http://opscode.com)\"",
+				"referrer": "\"-\"",
+				"@timestamp": "2014-08-27T02:44:04.000Z",
+				"response": 404,
+				"bytes": 324,
+				"clientip": "208.91.156.11",
+				"@version": "1",
+				"host": "skywalker",
+				"httpversion": "1.1",
+				"timestamp": "27/Aug/2014:02:44:04 +0000"
+			}
+		}]
+	}
+}

data/spec/filters/integration/elasticsearch_spec.rb

@@ -0,0 +1,44 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/plugin"
+require "logstash/filters/elasticsearch"
+
+describe LogStash::Filters::Elasticsearch, :integration => true do
+
+  let(:config) do
+    {
+      "hosts" => ["localhost:9200"],
+      "query" => "response: 404",
+      "fields" => [ ["response", "code"] ],
+    }
+  end
+  let(:plugin) { described_class.new(config) }
+  let(:event)  { LogStash::Event.new({}) }
+
+  before(:each) do
+    plugin.register
+  end
+
+  it "should enhance the current event with new data" do
+    plugin.filter(event)
+    expect(event["code"]).to eq(404)
+  end
+
+  context "when retrieving a list of elements" do
+
+    let(:config) do
+      {
+        "hosts" => ["localhost:9200"],
+        "query" => "response: 404",
+        "fields" => [ ["response", "code"] ],
+        "result_size" => 10
+      }
+    end
+
+    it "should enhance the current event with new data" do
+      plugin.filter(event)
+      expect(event["code"]).to eq([404]*10)
+    end
+
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-elasticsearch
 version: !ruby/object:Gem::Version
-  version: 2.0.4
+  version: 2.1.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-03-24 00:00:00.000000000 Z
+date: 2016-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -52,7 +52,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
+description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
@@ -65,8 +65,12 @@ files:
 - NOTICE.TXT
 - README.md
 - lib/logstash/filters/elasticsearch.rb
+- lib/logstash/filters/elasticsearch/client.rb
 - logstash-filter-elasticsearch.gemspec
 - spec/filters/elasticsearch_spec.rb
+- spec/filters/fixtures/request_x_1.json
+- spec/filters/fixtures/request_x_10.json
+- spec/filters/integration/elasticsearch_spec.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
@@ -95,3 +99,6 @@ specification_version: 4
 summary: Search elasticsearch for a previous log event and copy some fields from it into the current event
 test_files:
 - spec/filters/elasticsearch_spec.rb
+- spec/filters/fixtures/request_x_1.json
+- spec/filters/fixtures/request_x_10.json
+- spec/filters/integration/elasticsearch_spec.rb