logstash-filter-grok 2.0.5 → 3.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +2 -0
- data/Gemfile +3 -1
- data/LICENSE +1 -1
- data/README.md +12 -3
- data/lib/logstash/filters/grok.rb +7 -9
- data/logstash-filter-grok.gemspec +3 -3
- data/spec/filters/grok_spec.rb +166 -166
- metadata +20 -18
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6ed17e8438274c966ed007c49208b42683ce7e95
|
4
|
+
data.tar.gz: 98c0b8ff214122ef7e1c90d7bb527d86e44e09aa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2e36982282ce0ab9ba59b9c59a7b659897f2d87ad67f059d167dbc3666b1298c3584c22737923b27e04287e6854cd691654281dde12aebb486c333f8e2798d7a
|
7
|
+
data.tar.gz: 41a23c2079664a3a1d6c7849fd05e4255bc2ec462eeb500cf3cea8a2cface478be2ed48eb9070f17083b2e080eea221555cbe53d7cf848ad57ba49b971d78286
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
## 3.0.0
|
2
|
+
- Update the plugin to the version 2.0 of the plugin api, this change is required for Logstash 5.0 compatibility. See https://github.com/elastic/logstash/issues/5141
|
1
3
|
# 2.0.5
|
2
4
|
- Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
|
3
5
|
# 2.0.4
|
data/Gemfile
CHANGED
data/LICENSE
CHANGED
data/README.md
CHANGED
@@ -1,7 +1,6 @@
|
|
1
1
|
# Logstash Plugin
|
2
2
|
|
3
|
-
[![Build
|
4
|
-
Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-grok-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Filters/job/logstash-plugin-filter-grok-unit/)
|
3
|
+
[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-filter-grok.svg)](https://travis-ci.org/logstash-plugins/logstash-filter-grok)
|
5
4
|
|
6
5
|
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
7
6
|
|
@@ -56,7 +55,12 @@ gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
|
|
56
55
|
```
|
57
56
|
- Install plugin
|
58
57
|
```sh
|
58
|
+
# Logstash 2.3 and higher
|
59
|
+
bin/logstash-plugin install --no-verify
|
60
|
+
|
61
|
+
# Prior to Logstash 2.3
|
59
62
|
bin/plugin install --no-verify
|
63
|
+
|
60
64
|
```
|
61
65
|
- Run Logstash with your plugin
|
62
66
|
```sh
|
@@ -74,7 +78,12 @@ gem build logstash-filter-awesome.gemspec
|
|
74
78
|
```
|
75
79
|
- Install the plugin from the Logstash home
|
76
80
|
```sh
|
77
|
-
|
81
|
+
# Logstash 2.3 and higher
|
82
|
+
bin/logstash-plugin install --no-verify
|
83
|
+
|
84
|
+
# Prior to Logstash 2.3
|
85
|
+
bin/plugin install --no-verify
|
86
|
+
|
78
87
|
```
|
79
88
|
- Start Logstash and proceed to test the plugin
|
80
89
|
|
@@ -247,7 +247,7 @@
|
|
247
247
|
# will let folks redefine built-in patterns at runtime.
|
248
248
|
@patternfiles += patterns_files_from_paths(@@patterns_path.to_a, "*")
|
249
249
|
@patternfiles += patterns_files_from_paths(@patterns_dir, @patterns_files_glob)
|
250
|
-
|
250
|
+
|
251
251
|
@patterns = Hash.new { |h,k| h[k] = [] }
|
252
252
|
|
253
253
|
@logger.info? and @logger.info("Match data", :match => @match)
|
@@ -269,8 +269,6 @@
|
|
269
269
|
|
270
270
|
public
|
271
271
|
def filter(event)
|
272
|
-
|
273
|
-
|
274
272
|
matched = false
|
275
273
|
done = false
|
276
274
|
|
@@ -294,7 +292,7 @@
|
|
294
292
|
|
295
293
|
private
|
296
294
|
def match(groks, field, event)
|
297
|
-
input = event
|
295
|
+
input = event.get(field)
|
298
296
|
if input.is_a?(Array)
|
299
297
|
success = false
|
300
298
|
input.each do |input|
|
@@ -327,21 +325,21 @@
|
|
327
325
|
return if (value.nil? || (value.is_a?(String) && value.empty?)) unless @keep_empty_captures
|
328
326
|
|
329
327
|
if @overwrite.include?(field)
|
330
|
-
event
|
328
|
+
event.set(field, value)
|
331
329
|
else
|
332
|
-
v = event
|
330
|
+
v = event.get(field)
|
333
331
|
if v.nil?
|
334
|
-
event
|
332
|
+
event.set(field, value)
|
335
333
|
elsif v.is_a?(Array)
|
336
334
|
# do not replace the code below with:
|
337
335
|
# event[field] << value
|
338
336
|
# this assumes implementation specific feature of returning a mutable object
|
339
337
|
# from a field ref which should not be assumed and will change in the future.
|
340
338
|
v << value
|
341
|
-
event
|
339
|
+
event.set(field, v)
|
342
340
|
elsif v.is_a?(String)
|
343
341
|
# Promote to array since we aren't overwriting.
|
344
|
-
event
|
342
|
+
event.set(field, [v, value])
|
345
343
|
end
|
346
344
|
end
|
347
345
|
end
|
@@ -1,10 +1,10 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-grok'
|
4
|
-
s.version = '
|
4
|
+
s.version = '3.0.0'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Parse arbitrary text and structure it."
|
7
|
-
s.description = "This gem is a
|
7
|
+
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
8
8
|
s.authors = ["Elastic"]
|
9
9
|
s.email = 'info@elastic.co'
|
10
10
|
s.homepage = "http://www.elastic.co/guide/en/logstash/current/index.html"
|
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
|
|
20
20
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
21
21
|
|
22
22
|
# Gem dependencies
|
23
|
-
s.add_runtime_dependency "logstash-core-plugin-api", "~>
|
23
|
+
s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
|
24
24
|
|
25
25
|
s.add_runtime_dependency 'jls-grok', '~> 0.11.1'
|
26
26
|
s.add_runtime_dependency 'logstash-patterns-core'
|
data/spec/filters/grok_spec.rb
CHANGED
@@ -36,12 +36,12 @@ describe LogStash::Filters::Grok do
|
|
36
36
|
CONFIG
|
37
37
|
|
38
38
|
sample "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" do
|
39
|
-
insist { subject
|
40
|
-
insist { subject
|
41
|
-
insist { subject
|
42
|
-
insist { subject
|
43
|
-
insist { subject
|
44
|
-
insist { subject
|
39
|
+
insist { subject.get("tags") }.nil?
|
40
|
+
insist { subject.get("logsource") } == "evita"
|
41
|
+
insist { subject.get("timestamp") } == "Mar 16 00:01:25"
|
42
|
+
insist { subject.get("message") } == "connect from camomile.cloud9.net[168.100.1.3]"
|
43
|
+
insist { subject.get("program") } == "postfix/smtpd"
|
44
|
+
insist { subject.get("pid") } == "1713"
|
45
45
|
end
|
46
46
|
end
|
47
47
|
|
@@ -58,120 +58,120 @@ describe LogStash::Filters::Grok do
|
|
58
58
|
CONFIG
|
59
59
|
|
60
60
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - [id1 foo=\"bar\"][id2 baz=\"something\"] Hello, syslog." do
|
61
|
-
insist { subject
|
62
|
-
insist { subject
|
63
|
-
insist { subject
|
64
|
-
insist { subject
|
65
|
-
insist { subject
|
66
|
-
insist { subject
|
67
|
-
insist { subject
|
68
|
-
insist { subject
|
69
|
-
insist { subject
|
70
|
-
insist { subject
|
61
|
+
insist { subject.get("tags") }.nil?
|
62
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
63
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
64
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
65
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
66
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
67
|
+
insist { subject.get("syslog5424_proc") } == "4123"
|
68
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
69
|
+
insist { subject.get("syslog5424_sd") } == "[id1 foo=\"bar\"][id2 baz=\"something\"]"
|
70
|
+
insist { subject.get("syslog5424_msg") } == "Hello, syslog."
|
71
71
|
end
|
72
72
|
|
73
73
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - [id1 foo=\"bar\"] No process ID." do
|
74
|
-
insist { subject
|
75
|
-
insist { subject
|
76
|
-
insist { subject
|
77
|
-
insist { subject
|
78
|
-
insist { subject
|
79
|
-
insist { subject
|
80
|
-
insist { subject
|
81
|
-
insist { subject
|
82
|
-
insist { subject
|
83
|
-
insist { subject
|
74
|
+
insist { subject.get("tags") }.nil?
|
75
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
76
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
77
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
78
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
79
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
80
|
+
insist { subject.get("syslog5424_proc") } == nil
|
81
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
82
|
+
insist { subject.get("syslog5424_sd") } == "[id1 foo=\"bar\"]"
|
83
|
+
insist { subject.get("syslog5424_msg") } == "No process ID."
|
84
84
|
end
|
85
85
|
|
86
86
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - - No structured data." do
|
87
|
-
insist { subject
|
88
|
-
insist { subject
|
89
|
-
insist { subject
|
90
|
-
insist { subject
|
91
|
-
insist { subject
|
92
|
-
insist { subject
|
93
|
-
insist { subject
|
94
|
-
insist { subject
|
95
|
-
insist { subject
|
96
|
-
insist { subject
|
87
|
+
insist { subject.get("tags") }.nil?
|
88
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
89
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
90
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
91
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
92
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
93
|
+
insist { subject.get("syslog5424_proc") } == "4123"
|
94
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
95
|
+
insist { subject.get("syslog5424_sd") } == nil
|
96
|
+
insist { subject.get("syslog5424_msg") } == "No structured data."
|
97
97
|
end
|
98
98
|
|
99
99
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - - No PID or SD." do
|
100
|
-
insist { subject
|
101
|
-
insist { subject
|
102
|
-
insist { subject
|
103
|
-
insist { subject
|
104
|
-
insist { subject
|
105
|
-
insist { subject
|
106
|
-
insist { subject
|
107
|
-
insist { subject
|
108
|
-
insist { subject
|
109
|
-
insist { subject
|
100
|
+
insist { subject.get("tags") }.nil?
|
101
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
102
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
103
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
104
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
105
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
106
|
+
insist { subject.get("syslog5424_proc") } == nil
|
107
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
108
|
+
insist { subject.get("syslog5424_sd") } == nil
|
109
|
+
insist { subject.get("syslog5424_msg") } == "No PID or SD."
|
110
110
|
end
|
111
111
|
|
112
112
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - Missing structured data." do
|
113
|
-
insist { subject
|
114
|
-
insist { subject
|
115
|
-
insist { subject
|
116
|
-
insist { subject
|
117
|
-
insist { subject
|
118
|
-
insist { subject
|
119
|
-
insist { subject
|
120
|
-
insist { subject
|
121
|
-
insist { subject
|
122
|
-
insist { subject
|
113
|
+
insist { subject.get("tags") }.nil?
|
114
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
115
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
116
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
117
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
118
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
119
|
+
insist { subject.get("syslog5424_proc") } == "4123"
|
120
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
121
|
+
insist { subject.get("syslog5424_sd") } == nil
|
122
|
+
insist { subject.get("syslog5424_msg") } == "Missing structured data."
|
123
123
|
end
|
124
124
|
|
125
125
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - - Additional spaces." do
|
126
|
-
insist { subject
|
127
|
-
insist { subject
|
128
|
-
insist { subject
|
129
|
-
insist { subject
|
130
|
-
insist { subject
|
131
|
-
insist { subject
|
132
|
-
insist { subject
|
133
|
-
insist { subject
|
134
|
-
insist { subject
|
135
|
-
insist { subject
|
126
|
+
insist { subject.get("tags") }.nil?
|
127
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
128
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
129
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
130
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
131
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
132
|
+
insist { subject.get("syslog5424_proc") } == "4123"
|
133
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
134
|
+
insist { subject.get("syslog5424_sd") } == nil
|
135
|
+
insist { subject.get("syslog5424_msg") } == "Additional spaces."
|
136
136
|
end
|
137
137
|
|
138
138
|
sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - Additional spaces and missing SD." do
|
139
|
-
insist { subject
|
140
|
-
insist { subject
|
141
|
-
insist { subject
|
142
|
-
insist { subject
|
143
|
-
insist { subject
|
144
|
-
insist { subject
|
145
|
-
insist { subject
|
146
|
-
insist { subject
|
147
|
-
insist { subject
|
148
|
-
insist { subject
|
139
|
+
insist { subject.get("tags") }.nil?
|
140
|
+
insist { subject.get("syslog5424_pri") } == "191"
|
141
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
142
|
+
insist { subject.get("syslog5424_ts") } == "2009-06-30T18:30:00+02:00"
|
143
|
+
insist { subject.get("syslog5424_host") } == "paxton.local"
|
144
|
+
insist { subject.get("syslog5424_app") } == "grokdebug"
|
145
|
+
insist { subject.get("syslog5424_proc") } == "4123"
|
146
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
147
|
+
insist { subject.get("syslog5424_sd") } == nil
|
148
|
+
insist { subject.get("syslog5424_msg") } == "Additional spaces and missing SD."
|
149
149
|
end
|
150
150
|
|
151
151
|
sample "<30>1 2014-04-04T16:44:07+02:00 osctrl01 dnsmasq-dhcp 8048 - - Appname contains a dash" do
|
152
|
-
insist { subject
|
153
|
-
insist { subject
|
154
|
-
insist { subject
|
155
|
-
insist { subject
|
156
|
-
insist { subject
|
157
|
-
insist { subject
|
158
|
-
insist { subject
|
159
|
-
insist { subject
|
160
|
-
insist { subject
|
161
|
-
insist { subject
|
152
|
+
insist { subject.get("tags") }.nil?
|
153
|
+
insist { subject.get("syslog5424_pri") } == "30"
|
154
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
155
|
+
insist { subject.get("syslog5424_ts") } == "2014-04-04T16:44:07+02:00"
|
156
|
+
insist { subject.get("syslog5424_host") } == "osctrl01"
|
157
|
+
insist { subject.get("syslog5424_app") } == "dnsmasq-dhcp"
|
158
|
+
insist { subject.get("syslog5424_proc") } == "8048"
|
159
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
160
|
+
insist { subject.get("syslog5424_sd") } == nil
|
161
|
+
insist { subject.get("syslog5424_msg") } == "Appname contains a dash"
|
162
162
|
end
|
163
163
|
|
164
164
|
sample "<30>1 2014-04-04T16:44:07+02:00 osctrl01 - 8048 - - Appname is nil" do
|
165
|
-
insist { subject
|
166
|
-
insist { subject
|
167
|
-
insist { subject
|
168
|
-
insist { subject
|
169
|
-
insist { subject
|
170
|
-
insist { subject
|
171
|
-
insist { subject
|
172
|
-
insist { subject
|
173
|
-
insist { subject
|
174
|
-
insist { subject
|
165
|
+
insist { subject.get("tags") }.nil?
|
166
|
+
insist { subject.get("syslog5424_pri") } == "30"
|
167
|
+
insist { subject.get("syslog5424_ver") } == "1"
|
168
|
+
insist { subject.get("syslog5424_ts") } == "2014-04-04T16:44:07+02:00"
|
169
|
+
insist { subject.get("syslog5424_host") } == "osctrl01"
|
170
|
+
insist { subject.get("syslog5424_app") } == nil
|
171
|
+
insist { subject.get("syslog5424_proc") } == "8048"
|
172
|
+
insist { subject.get("syslog5424_msgid") } == nil
|
173
|
+
insist { subject.get("syslog5424_sd") } == nil
|
174
|
+
insist { subject.get("syslog5424_msg") } == "Appname is nil"
|
175
175
|
end
|
176
176
|
end
|
177
177
|
|
@@ -186,7 +186,7 @@ describe LogStash::Filters::Grok do
|
|
186
186
|
CONFIG
|
187
187
|
|
188
188
|
sample("message" => [ "hello 12345", "world 23456" ]) do
|
189
|
-
insist { subject
|
189
|
+
insist { subject.get("NUMBER") } == [ "12345", "23456" ]
|
190
190
|
end
|
191
191
|
end
|
192
192
|
|
@@ -201,10 +201,10 @@ describe LogStash::Filters::Grok do
|
|
201
201
|
CONFIG
|
202
202
|
|
203
203
|
sample "400 454.33" do
|
204
|
-
insist { subject
|
205
|
-
insist { subject
|
206
|
-
insist { subject
|
207
|
-
insist { subject
|
204
|
+
insist { subject.get("foo") } == 400
|
205
|
+
insist { subject.get("foo") }.is_a?(Fixnum)
|
206
|
+
insist { subject.get("bar") } == 454.33
|
207
|
+
insist { subject.get("bar") }.is_a?(Float)
|
208
208
|
end
|
209
209
|
end
|
210
210
|
|
@@ -220,7 +220,7 @@ describe LogStash::Filters::Grok do
|
|
220
220
|
CONFIG
|
221
221
|
|
222
222
|
sample "hello 1234" do
|
223
|
-
insist { subject
|
223
|
+
insist { subject.get("FIZZLE") } == "1234"
|
224
224
|
end
|
225
225
|
end
|
226
226
|
|
@@ -237,8 +237,8 @@ describe LogStash::Filters::Grok do
|
|
237
237
|
CONFIG
|
238
238
|
|
239
239
|
sample("message" => "hello world", "examplefield" => "12345") do
|
240
|
-
insist { subject
|
241
|
-
insist { subject
|
240
|
+
insist { subject.get("examplefield") } == "12345"
|
241
|
+
insist { subject.get("word") } == "hello"
|
242
242
|
end
|
243
243
|
end
|
244
244
|
|
@@ -254,12 +254,12 @@ describe LogStash::Filters::Grok do
|
|
254
254
|
CONFIG
|
255
255
|
|
256
256
|
sample "matchme 1234" do
|
257
|
-
insist { subject
|
258
|
-
insist { subject
|
257
|
+
insist { subject.get("tags") }.nil?
|
258
|
+
insist { subject.get("new_field") } == "1234"
|
259
259
|
end
|
260
260
|
|
261
261
|
sample "this will not be matched" do
|
262
|
-
insist { subject
|
262
|
+
insist { subject.get("tags") }.include?("_grokparsefailure")
|
263
263
|
reject { subject }.include?("new_field")
|
264
264
|
end
|
265
265
|
end
|
@@ -275,7 +275,7 @@ describe LogStash::Filters::Grok do
|
|
275
275
|
CONFIG
|
276
276
|
|
277
277
|
sample "1=test" do
|
278
|
-
insist { subject
|
278
|
+
insist { subject.get("tags") }.nil?
|
279
279
|
insist { subject }.include?("foo1")
|
280
280
|
|
281
281
|
# Since 'foo2' was not captured, it must not be present in the event.
|
@@ -294,7 +294,7 @@ describe LogStash::Filters::Grok do
|
|
294
294
|
CONFIG
|
295
295
|
|
296
296
|
sample "1=test" do
|
297
|
-
insist { subject
|
297
|
+
insist { subject.get("tags") }.nil?
|
298
298
|
# use .to_hash for this test, for now, because right now
|
299
299
|
# the Event.include? returns false for missing fields as well
|
300
300
|
# as for fields with nil values.
|
@@ -317,9 +317,9 @@ describe LogStash::Filters::Grok do
|
|
317
317
|
|
318
318
|
sample "Hello World, yo!" do
|
319
319
|
insist { subject }.include?("WORD")
|
320
|
-
insist { subject
|
320
|
+
insist { subject.get("WORD") } == "World"
|
321
321
|
insist { subject }.include?("foo")
|
322
|
-
insist { subject
|
322
|
+
insist { subject.get("foo") } == "yo"
|
323
323
|
end
|
324
324
|
end
|
325
325
|
|
@@ -334,8 +334,8 @@ describe LogStash::Filters::Grok do
|
|
334
334
|
}
|
335
335
|
CONFIG
|
336
336
|
sample "hello world" do
|
337
|
-
insist { subject
|
338
|
-
insist { subject
|
337
|
+
insist { subject.get("tags") }.nil?
|
338
|
+
insist { subject.get("foo") } == "hello"
|
339
339
|
end
|
340
340
|
end
|
341
341
|
|
@@ -350,8 +350,8 @@ describe LogStash::Filters::Grok do
|
|
350
350
|
CONFIG
|
351
351
|
|
352
352
|
sample "fancy 12-12-12 12:12:12" do
|
353
|
-
insist { subject
|
354
|
-
insist { subject
|
353
|
+
insist { subject.get("tags") }.nil?
|
354
|
+
insist { subject.get("timestamp") } == "12-12-12 12:12:12"
|
355
355
|
end
|
356
356
|
end
|
357
357
|
end
|
@@ -367,8 +367,8 @@ describe LogStash::Filters::Grok do
|
|
367
367
|
CONFIG
|
368
368
|
|
369
369
|
sample("status" => 403) do
|
370
|
-
reject { subject
|
371
|
-
insist { subject
|
370
|
+
reject { subject.get("tags") }.include?("_grokparsefailure")
|
371
|
+
insist { subject.get("tags") }.include?("four_oh_three")
|
372
372
|
end
|
373
373
|
end
|
374
374
|
|
@@ -383,8 +383,8 @@ describe LogStash::Filters::Grok do
|
|
383
383
|
CONFIG
|
384
384
|
|
385
385
|
sample("version" => 1.0) do
|
386
|
-
insist { subject
|
387
|
-
insist { subject
|
386
|
+
insist { subject.get("tags") }.include?("one_point_oh")
|
387
|
+
insist { subject.get("tags") }.include?("one_point_oh")
|
388
388
|
end
|
389
389
|
end
|
390
390
|
|
@@ -411,7 +411,7 @@ describe LogStash::Filters::Grok do
|
|
411
411
|
)
|
412
412
|
log_level_names.each do |level_name|
|
413
413
|
sample "#{level_name}: error!" do
|
414
|
-
insist { subject
|
414
|
+
insist { subject.get("level") } == level_name
|
415
415
|
end
|
416
416
|
end
|
417
417
|
end
|
@@ -427,11 +427,11 @@ describe LogStash::Filters::Grok do
|
|
427
427
|
CONFIG
|
428
428
|
|
429
429
|
sample "matchme 1234" do
|
430
|
-
insist { subject
|
430
|
+
insist { subject.get("tags") }.nil?
|
431
431
|
end
|
432
432
|
|
433
433
|
sample "this will not be matched" do
|
434
|
-
insist { subject
|
434
|
+
insist { subject.get("tags") }.include?("false")
|
435
435
|
end
|
436
436
|
end
|
437
437
|
|
@@ -446,7 +446,7 @@ describe LogStash::Filters::Grok do
|
|
446
446
|
CONFIG
|
447
447
|
|
448
448
|
sample "11/01/01" do
|
449
|
-
insist { subject
|
449
|
+
insist { subject.get("stimestamp") } == "11/01/01"
|
450
450
|
end
|
451
451
|
end
|
452
452
|
|
@@ -461,7 +461,7 @@ describe LogStash::Filters::Grok do
|
|
461
461
|
CONFIG
|
462
462
|
|
463
463
|
sample "hello world" do
|
464
|
-
insist { subject
|
464
|
+
insist { subject.get("foo-bar") } == "hello"
|
465
465
|
end
|
466
466
|
end
|
467
467
|
|
@@ -509,11 +509,11 @@ describe LogStash::Filters::Grok do
|
|
509
509
|
CONFIG
|
510
510
|
|
511
511
|
sample "hello world" do
|
512
|
-
insist { subject
|
512
|
+
insist { subject.get("foo") }.is_a?(String)
|
513
513
|
end
|
514
514
|
|
515
515
|
sample "123 world" do
|
516
|
-
insist { subject
|
516
|
+
insist { subject.get("foo") }.is_a?(String)
|
517
517
|
end
|
518
518
|
end
|
519
519
|
|
@@ -528,8 +528,8 @@ describe LogStash::Filters::Grok do
|
|
528
528
|
CONFIG
|
529
529
|
|
530
530
|
sample("message" => "hello world 123", "somefield" => "testme abc 999") do
|
531
|
-
insist { subject
|
532
|
-
insist { subject
|
531
|
+
insist { subject.get("foo") } == "123"
|
532
|
+
insist { subject.get("bar") }.nil?
|
533
533
|
end
|
534
534
|
end
|
535
535
|
|
@@ -545,8 +545,8 @@ describe LogStash::Filters::Grok do
|
|
545
545
|
CONFIG
|
546
546
|
|
547
547
|
sample("message" => "hello world 123", "somefield" => "testme abc 999") do
|
548
|
-
insist { subject
|
549
|
-
insist { subject
|
548
|
+
insist { subject.get("foo") } == "123"
|
549
|
+
insist { subject.get("bar") } == "999"
|
550
550
|
end
|
551
551
|
end
|
552
552
|
|
@@ -561,16 +561,16 @@ describe LogStash::Filters::Grok do
|
|
561
561
|
CONFIG
|
562
562
|
|
563
563
|
sample "treebranch" do
|
564
|
-
insist { subject
|
564
|
+
insist { subject.get("name2") } == "branch"
|
565
565
|
end
|
566
566
|
|
567
567
|
sample "bushbeard" do
|
568
|
-
insist { subject
|
568
|
+
insist { subject.get("name1") } == "bush"
|
569
569
|
end
|
570
570
|
|
571
571
|
sample "treebeard" do
|
572
|
-
insist { subject
|
573
|
-
insist { subject
|
572
|
+
insist { subject.get("name1") } == "tree"
|
573
|
+
insist { subject.get("name2") } == "beard"
|
574
574
|
end
|
575
575
|
end
|
576
576
|
|
@@ -585,14 +585,14 @@ describe LogStash::Filters::Grok do
|
|
585
585
|
|
586
586
|
# array input --
|
587
587
|
sample("message" => ["hello world 123", "line 23"]) do
|
588
|
-
insist { subject
|
589
|
-
insist { subject
|
588
|
+
insist { subject.get("foo") } == ["123", "23"]
|
589
|
+
insist { subject.get("tags") }.nil?
|
590
590
|
end
|
591
591
|
|
592
592
|
# array input, one of them matches
|
593
593
|
sample("message" => ["hello world 123", "abc"]) do
|
594
|
-
insist { subject
|
595
|
-
insist { subject
|
594
|
+
insist { subject.get("foo") } == "123"
|
595
|
+
insist { subject.get("tags") }.nil?
|
596
596
|
end
|
597
597
|
end
|
598
598
|
|
@@ -607,16 +607,16 @@ describe LogStash::Filters::Grok do
|
|
607
607
|
|
608
608
|
# array input --
|
609
609
|
sample("message" => ["hello world 123", "line 23"]) do
|
610
|
-
insist { subject
|
611
|
-
insist { subject
|
612
|
-
insist { subject
|
610
|
+
insist { subject.get("foo") } == ["123", "23"]
|
611
|
+
insist { subject.get("bar") }.nil?
|
612
|
+
insist { subject.get("tags") }.nil?
|
613
613
|
end
|
614
614
|
|
615
615
|
# array input, one of them matches
|
616
616
|
sample("message" => ["hello world", "line 23"]) do
|
617
|
-
insist { subject
|
618
|
-
insist { subject
|
619
|
-
insist { subject
|
617
|
+
insist { subject.get("bar") } == "hello"
|
618
|
+
insist { subject.get("foo") } == "23"
|
619
|
+
insist { subject.get("tags") }.nil?
|
620
620
|
end
|
621
621
|
end
|
622
622
|
|
@@ -632,16 +632,16 @@ describe LogStash::Filters::Grok do
|
|
632
632
|
|
633
633
|
# array input --
|
634
634
|
sample("message" => ["hello world 123", "line 23"]) do
|
635
|
-
insist { subject
|
636
|
-
insist { subject
|
637
|
-
insist { subject
|
635
|
+
insist { subject.get("foo") } == ["123", "23"]
|
636
|
+
insist { subject.get("bar") } == ["hello", "line"]
|
637
|
+
insist { subject.get("tags") }.nil?
|
638
638
|
end
|
639
639
|
|
640
640
|
# array input, one of them matches
|
641
641
|
sample("message" => ["hello world", "line 23"]) do
|
642
|
-
insist { subject
|
643
|
-
insist { subject
|
644
|
-
insist { subject
|
642
|
+
insist { subject.get("bar") } == ["hello", "line"]
|
643
|
+
insist { subject.get("foo") } == "23"
|
644
|
+
insist { subject.get("tags") }.nil?
|
645
645
|
end
|
646
646
|
end
|
647
647
|
|
@@ -656,9 +656,9 @@ describe LogStash::Filters::Grok do
|
|
656
656
|
CONFIG
|
657
657
|
|
658
658
|
sample "<22>Jan 4 07:50:46 mailmaster postfix/policy-spf[9454]: : SPF permerror (Junk encountered in record 'v=spf1 mx a:mail.domain.no ip4:192.168.0.4 �all'): Envelope-from: email@domain.no" do
|
659
|
-
insist { subject
|
660
|
-
insist { subject
|
661
|
-
insist { subject
|
659
|
+
insist { subject.get("tags") }.nil?
|
660
|
+
insist { subject.get("syslog_pri") } == "22"
|
661
|
+
insist { subject.get("syslog_program") } == "postfix/policy-spf"
|
662
662
|
end
|
663
663
|
end
|
664
664
|
|
@@ -681,7 +681,7 @@ describe LogStash::Filters::Grok do
|
|
681
681
|
end
|
682
682
|
|
683
683
|
sample("message" => 'hello') do
|
684
|
-
insist { subject
|
684
|
+
insist { subject.get("tags") } == ["_grokparsefailure"]
|
685
685
|
end
|
686
686
|
|
687
687
|
after do
|
@@ -713,7 +713,7 @@ describe LogStash::Filters::Grok do
|
|
713
713
|
end
|
714
714
|
|
715
715
|
sample("message" => '0') do
|
716
|
-
insist { subject
|
716
|
+
insist { subject.get("tags") } == nil
|
717
717
|
end
|
718
718
|
|
719
719
|
after do
|
@@ -744,7 +744,7 @@ describe LogStash::Filters::Grok do
|
|
744
744
|
end
|
745
745
|
|
746
746
|
sample("message" => '0') do
|
747
|
-
insist { subject
|
747
|
+
insist { subject.get("tags") } == nil
|
748
748
|
end
|
749
749
|
|
750
750
|
after do
|
@@ -764,18 +764,18 @@ describe LogStash::Filters::Grok do
|
|
764
764
|
CONFIG
|
765
765
|
|
766
766
|
sample "test 28.4ms" do
|
767
|
-
insist { subject
|
768
|
-
insist { subject
|
767
|
+
insist { subject.get("duration") } == 28.4
|
768
|
+
insist { subject.get("tags") }.nil?
|
769
769
|
end
|
770
770
|
|
771
771
|
sample "test N/A" do
|
772
772
|
insist { insist { subject.to_hash }.include?("duration") }.fails
|
773
|
-
insist { subject
|
773
|
+
insist { subject.get("tags") }.nil?
|
774
774
|
end
|
775
775
|
|
776
776
|
sample "test abc" do
|
777
|
-
insist { subject
|
778
|
-
insist { subject
|
777
|
+
insist { subject.get("duration") }.nil?
|
778
|
+
insist { subject.get("tags") } == ["_grokparsefailure"]
|
779
779
|
end
|
780
780
|
end
|
781
781
|
|
@@ -791,7 +791,7 @@ describe LogStash::Filters::Grok do
|
|
791
791
|
|
792
792
|
sample "test N/A" do
|
793
793
|
insist { subject.to_hash }.include?("duration")
|
794
|
-
insist { subject
|
794
|
+
insist { subject.get("tags") }.nil?
|
795
795
|
end
|
796
796
|
|
797
797
|
end
|
@@ -806,13 +806,13 @@ describe LogStash::Filters::Grok do
|
|
806
806
|
CONFIG
|
807
807
|
|
808
808
|
sample "test 28.4ms" do
|
809
|
-
insist { subject
|
810
|
-
insist { subject
|
809
|
+
insist { subject.get("duration") } == "28.4"
|
810
|
+
insist { subject.get("tags") }.nil?
|
811
811
|
end
|
812
812
|
|
813
813
|
sample "test N/A" do
|
814
|
-
insist { subject
|
815
|
-
insist { subject
|
814
|
+
insist { subject.get("duration") }.nil?
|
815
|
+
insist { subject.get("tags") }.nil?
|
816
816
|
end
|
817
817
|
end
|
818
818
|
|
metadata
CHANGED
@@ -1,72 +1,74 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-grok
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-05-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
+
name: logstash-core-plugin-api
|
14
15
|
requirement: !ruby/object:Gem::Requirement
|
15
16
|
requirements:
|
16
17
|
- - "~>"
|
17
18
|
- !ruby/object:Gem::Version
|
18
|
-
version: '
|
19
|
-
name: logstash-core-plugin-api
|
20
|
-
prerelease: false
|
19
|
+
version: '2.0'
|
21
20
|
type: :runtime
|
21
|
+
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '2.0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
+
name: jls-grok
|
28
29
|
requirement: !ruby/object:Gem::Requirement
|
29
30
|
requirements:
|
30
31
|
- - "~>"
|
31
32
|
- !ruby/object:Gem::Version
|
32
33
|
version: 0.11.1
|
33
|
-
name: jls-grok
|
34
|
-
prerelease: false
|
35
34
|
type: :runtime
|
35
|
+
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: 0.11.1
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
|
+
name: logstash-patterns-core
|
42
43
|
requirement: !ruby/object:Gem::Requirement
|
43
44
|
requirements:
|
44
45
|
- - ">="
|
45
46
|
- !ruby/object:Gem::Version
|
46
47
|
version: '0'
|
47
|
-
name: logstash-patterns-core
|
48
|
-
prerelease: false
|
49
48
|
type: :runtime
|
49
|
+
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
|
+
name: logstash-devutils
|
56
57
|
requirement: !ruby/object:Gem::Requirement
|
57
58
|
requirements:
|
58
59
|
- - ">="
|
59
60
|
- !ruby/object:Gem::Version
|
60
61
|
version: '0'
|
61
|
-
name: logstash-devutils
|
62
|
-
prerelease: false
|
63
62
|
type: :development
|
63
|
+
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
66
|
- - ">="
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: '0'
|
69
|
-
description: This gem is a
|
69
|
+
description: This gem is a Logstash plugin required to be installed on top of the
|
70
|
+
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
71
|
+
gem is not a stand-alone program
|
70
72
|
email: info@elastic.co
|
71
73
|
executables: []
|
72
74
|
extensions: []
|
@@ -87,7 +89,7 @@ licenses:
|
|
87
89
|
metadata:
|
88
90
|
logstash_plugin: 'true'
|
89
91
|
logstash_group: filter
|
90
|
-
post_install_message:
|
92
|
+
post_install_message:
|
91
93
|
rdoc_options: []
|
92
94
|
require_paths:
|
93
95
|
- lib
|
@@ -102,9 +104,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
102
104
|
- !ruby/object:Gem::Version
|
103
105
|
version: '0'
|
104
106
|
requirements: []
|
105
|
-
rubyforge_project:
|
106
|
-
rubygems_version: 2.
|
107
|
-
signing_key:
|
107
|
+
rubyforge_project:
|
108
|
+
rubygems_version: 2.5.1
|
109
|
+
signing_key:
|
108
110
|
specification_version: 4
|
109
111
|
summary: Parse arbitrary text and structure it.
|
110
112
|
test_files:
|