logstash-filter-elasticsearch 4.2.0 → 4.3.1

data/spec/filters/integration/elasticsearch_esql_spec.rb

@@ -0,0 +1,167 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/filters/elasticsearch"
+require "elasticsearch"
+require_relative "../../../spec/es_helper"
+
+describe LogStash::Filters::Elasticsearch, integration: true do
+
+  ELASTIC_SECURITY_ENABLED = ENV['ELASTIC_SECURITY_ENABLED'].eql? 'true'
+  SECURE_INTEGRATION = ENV['SECURE_INTEGRATION'].eql? 'true'
+  ES_HOSTS = ["http#{SECURE_INTEGRATION ? 's' : nil}://#{ESHelper.get_host_port}"]
+  CA_PATH = File.expand_path('../fixtures/test_certs/ca.crt', File.dirname(__FILE__))
+
+  let(:plugin) { described_class.new(config) }
+  let(:es_index) { "es-filter-plugin-esql-integration-#{rand(1000)}" }
+  let(:test_documents) do
+    [
+      { "message" => "test message 1", "type" => "a", "count" => 1 },
+      { "message" => "test message 2", "type" => "a", "count" => 2 },
+      { "message" => "test message 3", "type" => "b", "count" => 3 },
+      { "message" => "test message 4", "type" => "b", "count" => 4 },
+      { "message" => "test message 5", "type" => "c", "count" => 5 },
+      { "message" => "odd test message", "type" => "t" }
+    ]
+  end
+
+  let(:base_config) do
+    {
+      "query_type" => "esql",
+      "hosts" => ES_HOSTS,
+      "ssl_enabled" => SECURE_INTEGRATION
+    }
+  end
+
+  let(:credentials) do
+    if SECURE_INTEGRATION
+      { 'user' => 'tests', 'password' => 'Tests123' }
+    else
+      { 'user' => 'elastic', 'password' => ENV['ELASTIC_PASSWORD'] }
+    end
+  end
+
+  let(:config) do
+    config = ELASTIC_SECURITY_ENABLED ? base_config.merge(credentials) : base_config
+    config = { 'ssl_certificate_authorities' => CA_PATH }.merge(config) if SECURE_INTEGRATION
+    config
+  end
+
+  let(:event) { LogStash::Event.new({}) }
+
+  def es_client
+    @es_client ||= begin
+      user = SECURE_INTEGRATION ? 'tests' : 'elastic'
+      password = SECURE_INTEGRATION ? 'Tests123' : ENV['ELASTIC_PASSWORD']
+
+      es_client_config = { hosts: ES_HOSTS }
+      es_client_config = es_client_config.merge({ user: user, password: password }) if ELASTIC_SECURITY_ENABLED || SECURE_INTEGRATION
+      es_client_config = es_client_config.merge({ transport_options: { ssl: { ca_path: CA_PATH, verify: false }}}) if SECURE_INTEGRATION
+
+      Elasticsearch::Client.new(es_client_config)
+    end
+  end
+
+  before(:all) do
+    is_ls_with_esql_supported_client = Gem::Version.create(LOGSTASH_VERSION) >= Gem::Version.create(LogStash::Filters::Elasticsearch::LS_ESQL_SUPPORT_VERSION)
+    # Skip tests if an ES version doesn't support ES|QL
+    skip "LS version does not have ES client which supports ES|QL" unless is_ls_with_esql_supported_client
+
+    es_version_info = es_client.info["version"]
+    es_gem_version = Gem::Version.create(es_version_info["number"])
+    skip "ES version does not support ES|QL" if es_gem_version.nil? || es_gem_version < Gem::Version.create(LogStash::Filters::Elasticsearch::ES_ESQL_SUPPORT_VERSION)
+  end
+
+  before(:each) do
+    # Create index with test documents
+    es_client.indices.create(index: es_index, body: {}) unless es_client.indices.exists?(index: es_index)
+
+    test_documents.each do |doc|
+      es_client.index(index: es_index, body: doc, refresh: true)
+    end
+  end
+
+  after(:each) do
+    es_client.indices.delete(index: es_index) if es_client.indices.exists?(index: es_index)
+  end
+
+  describe "run ES|QL queries" do
+
+    before do
+      stub_const("LOGSTASH_VERSION", LogStash::Filters::Elasticsearch::LS_ESQL_SUPPORT_VERSION)
+    end
+
+    before(:each) do
+      plugin.register
+    end
+
+    shared_examples "ESQL query execution" do |expected_count, fields|
+      it "processes the event" do
+        plugin.filter(event)
+        expect(event.get("[@metadata][total_values]")).to eq(expected_count)
+        fields&.each do | field |
+          expect(event.get(field)).not_to be(nil)
+        end
+      end
+    end
+
+    describe "with simple FROM query with LIMIT" do
+      let(:config) do
+        super().merge("query" => "FROM #{es_index} | LIMIT 99")
+      end
+
+      include_examples "ESQL query execution", 6
+    end
+
+    describe "with simple FROM and WHERE query combinations" do
+      let(:config) do
+        super().merge("query" => "FROM #{es_index} | WHERE type==\"b\" | LIMIT 99")
+      end
+
+      include_examples "ESQL query execution", 2
+    end
+
+    describe "with query params" do
+      let(:config) do
+        super().merge("query" => "FROM #{es_index} | WHERE type==?type", "query_params" => { "type" => "b" })
+      end
+
+      include_examples "ESQL query execution", 2
+    end
+
+    describe "when invalid query used" do
+      let(:config) do
+        super().merge("query" => "FROM undefined index | LIMIT 1")
+      end
+
+      it "tags on failure" do
+        plugin.filter(event)
+        expect(event.to_hash["tags"]).to include("_elasticsearch_lookup_failure")
+      end
+    end
+
+    describe "when field enrichment requested" do
+      let(:config) do
+        super().merge("query" => "FROM #{es_index} | WHERE type==\"b\" | LIMIT 99")
+      end
+
+      include_examples "ESQL query execution", 2,  %w[message count]
+    end
+
+    describe "when non-exist field value appear" do
+      let(:config) do
+        super().merge("query" => "FROM #{es_index}", "target" => "target_field")
+      end
+
+      it "processes the event" do
+        plugin.filter(event)
+        expect(event.get("[@metadata][total_values]")).to eq(6)
+        expect(event.get("target_field").size).to eq(6)
+        values = event.get("target_field")
+        counts = values.count { |entry| entry.key?("count") }
+        messages = values.count { |entry| entry.key?("message") }
+        expect(counts).to eq(5)
+        expect(messages).to eq(6)
+      end
+    end
+  end
+end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-elasticsearch
 version: !ruby/object:Gem::Version
-  version: 4.2.0
+  version: 4.3.1
 platform: ruby
 authors:
 - Elastic
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-05-07 00:00:00.000000000 Z
+date: 2025-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -19,7 +19,6 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
-  name: logstash-core-plugin-api
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -31,6 +30,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
 - !ruby/object:Gem::Dependency
+  name: elasticsearch
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -39,7 +39,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '9'
-  name: elasticsearch
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -51,12 +50,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '9'
 - !ruby/object:Gem::Dependency
+  name: manticore
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.7.1
-  name: manticore
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -65,12 +64,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.7.1
 - !ruby/object:Gem::Dependency
+  name: logstash-mixin-ecs_compatibility_support
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
-  name: logstash-mixin-ecs_compatibility_support
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -79,12 +78,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
+  name: logstash-mixin-ca_trusted_fingerprint_support
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-  name: logstash-mixin-ca_trusted_fingerprint_support
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -93,12 +92,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
+  name: logstash-mixin-validator_support
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-  name: logstash-mixin-validator_support
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -107,12 +106,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
+  name: cabin
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
-  name: cabin
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -121,12 +120,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.6'
 - !ruby/object:Gem::Dependency
+  name: webrick
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: webrick
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -135,12 +134,12 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
+  name: logstash-devutils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-devutils
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -165,9 +164,13 @@ files:
 - docs/index.asciidoc
 - lib/logstash/filters/elasticsearch.rb
 - lib/logstash/filters/elasticsearch/client.rb
+- lib/logstash/filters/elasticsearch/dsl_executor.rb
+- lib/logstash/filters/elasticsearch/esql_executor.rb
 - lib/logstash/filters/elasticsearch/patches/_elasticsearch_transport_http_manticore.rb
 - logstash-filter-elasticsearch.gemspec
 - spec/es_helper.rb
+- spec/filters/elasticsearch_dsl_spec.rb
+- spec/filters/elasticsearch_esql_spec.rb
 - spec/filters/elasticsearch_spec.rb
 - spec/filters/elasticsearch_ssl_spec.rb
 - spec/filters/fixtures/elasticsearch_7.x_hits_total_as_object.json
@@ -193,6 +196,7 @@ files:
 - spec/filters/fixtures/test_certs/ls.crt
 - spec/filters/fixtures/test_certs/ls.der.sha256
 - spec/filters/fixtures/test_certs/ls.key
+- spec/filters/integration/elasticsearch_esql_spec.rb
 - spec/filters/integration/elasticsearch_spec.rb
 homepage: https://elastic.co/logstash
 licenses:
@@ -200,7 +204,6 @@ licenses:
 metadata:
   logstash_plugin: 'true'
   logstash_group: filter
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -215,12 +218,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
-signing_key:
+rubygems_version: 3.6.3
 specification_version: 4
 summary: Copies fields from previous log events in Elasticsearch to current events
 test_files:
 - spec/es_helper.rb
+- spec/filters/elasticsearch_dsl_spec.rb
+- spec/filters/elasticsearch_esql_spec.rb
 - spec/filters/elasticsearch_spec.rb
 - spec/filters/elasticsearch_ssl_spec.rb
 - spec/filters/fixtures/elasticsearch_7.x_hits_total_as_object.json
@@ -246,4 +250,5 @@ test_files:
 - spec/filters/fixtures/test_certs/ls.crt
 - spec/filters/fixtures/test_certs/ls.der.sha256
 - spec/filters/fixtures/test_certs/ls.key
+- spec/filters/integration/elasticsearch_esql_spec.rb
 - spec/filters/integration/elasticsearch_spec.rb