logstash-filter-grok 3.3.1 → 3.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/filters/grok.rb +20 -0
- data/logstash-filter-grok.gemspec +1 -1
- data/spec/filters/grok_spec.rb +36 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b1e652d5cf4cc9eff9c8a678a3c981b394c26de0
|
|
4
|
+
data.tar.gz: 6124306fb38c72fdad65262fb0e544ca5b51592b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2fd4bb01edc17528e22cf0085b8a09b5f42624c4f843c1cef1ff089c3ec3f8a4ba79a3e5957a5cec0d819a257e389c6c0985bfb1065b305ad7c8128435f89916
|
|
7
|
+
data.tar.gz: 0fbc997375ccbc3e5406b36afe73d4ee38f5e618c5f7e5c2158a5407d030e5c1a924f9e7fc4e220eed5dbd7276f3e01e84ddb1780ce8c195f19eebb91cd288ec
|
data/CHANGELOG.md
CHANGED
|
@@ -136,6 +136,11 @@
|
|
|
136
136
|
#
|
|
137
137
|
# The `timestamp`, `logsource`, `program`, and `pid` fields come from the
|
|
138
138
|
# `SYSLOGBASE` pattern which itself is defined by other patterns.
|
|
139
|
+
#
|
|
140
|
+
# Another option is to define patterns _inline_ in the filter using `pattern_definitions`.
|
|
141
|
+
# This is mostly for convenience and allows user to define a pattern which can be used just in that
|
|
142
|
+
# filter. This newly defined patterns in `pattern_definitions` will not be available outside of that particular `grok` filter.
|
|
143
|
+
#
|
|
139
144
|
class LogStash::Filters::Grok < LogStash::Filters::Base
|
|
140
145
|
config_name "grok"
|
|
141
146
|
require "logstash/filters/grok/timeout_enforcer"
|
|
@@ -178,6 +183,12 @@
|
|
|
178
183
|
# The patterns are loaded when the pipeline is created.
|
|
179
184
|
config :patterns_dir, :validate => :array, :default => []
|
|
180
185
|
|
|
186
|
+
# A hash of pattern-name and pattern tuples defining custom patterns to be used by
|
|
187
|
+
# the current filter. Patterns matching existing names will override the pre-existing
|
|
188
|
+
# definition. Think of this as inline patterns available just for this definition of
|
|
189
|
+
# grok
|
|
190
|
+
config :pattern_definitions, :validate => :hash, :default => {}
|
|
191
|
+
|
|
181
192
|
# Glob pattern, used to select the pattern files in the directories
|
|
182
193
|
# specified by patterns_dir
|
|
183
194
|
config :patterns_files_glob, :validate => :string, :default => "*"
|
|
@@ -271,6 +282,7 @@
|
|
|
271
282
|
grok = Grok.new
|
|
272
283
|
grok.logger = @logger unless @logger.nil?
|
|
273
284
|
add_patterns_from_files(@patternfiles, grok)
|
|
285
|
+
add_patterns_from_inline_definition(@pattern_definitions, grok)
|
|
274
286
|
grok.compile(pattern, @named_captures_only)
|
|
275
287
|
@patterns[field] << grok
|
|
276
288
|
end
|
|
@@ -394,6 +406,14 @@
|
|
|
394
406
|
end
|
|
395
407
|
end # def add_patterns_from_files
|
|
396
408
|
|
|
409
|
+
private
|
|
410
|
+
def add_patterns_from_inline_definition(pattern_definitions, grok)
|
|
411
|
+
pattern_definitions.each do |name, pattern|
|
|
412
|
+
next if pattern.nil?
|
|
413
|
+
grok.add_pattern(name, pattern.chomp)
|
|
414
|
+
end
|
|
415
|
+
end
|
|
416
|
+
|
|
397
417
|
def close
|
|
398
418
|
@timeout_enforcer.stop!
|
|
399
419
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-grok'
|
|
4
|
-
s.version = '3.
|
|
4
|
+
s.version = '3.4.0'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Parse arbitrary text and structure it."
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/grok_spec.rb
CHANGED
|
@@ -868,4 +868,40 @@ describe LogStash::Filters::Grok do
|
|
|
868
868
|
end
|
|
869
869
|
end
|
|
870
870
|
|
|
871
|
+
describe "grok with inline pattern definition successfully extracts fields" do
|
|
872
|
+
config <<-CONFIG
|
|
873
|
+
filter {
|
|
874
|
+
grok {
|
|
875
|
+
match => { "message" => "%{APACHE_TIME:timestamp} %{LOGLEVEL:level} %{MY_PATTERN:hindsight}" }
|
|
876
|
+
pattern_definitions => { "APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
|
|
877
|
+
"MY_PATTERN" => "%{YEAR}"}
|
|
878
|
+
}
|
|
879
|
+
}
|
|
880
|
+
CONFIG
|
|
881
|
+
|
|
882
|
+
sample "Mon Dec 26 16:22:08 2016 error 2020" do
|
|
883
|
+
insist { subject.get("timestamp") } == "Mon Dec 26 16:22:08 2016"
|
|
884
|
+
insist { subject.get("level") } == "error"
|
|
885
|
+
insist { subject.get("hindsight") } == "2020"
|
|
886
|
+
end
|
|
887
|
+
end
|
|
888
|
+
|
|
889
|
+
describe "grok with inline pattern definition overwrites existing pattern definition" do
|
|
890
|
+
config <<-CONFIG
|
|
891
|
+
filter {
|
|
892
|
+
grok {
|
|
893
|
+
match => { "message" => "%{APACHE_TIME:timestamp} %{LOGLEVEL:level}" }
|
|
894
|
+
# loglevel was previously ([Aa]lert|ALERT|[Tt]...
|
|
895
|
+
pattern_definitions => { "APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
|
|
896
|
+
"LOGLEVEL" => "%{NUMBER}"}
|
|
897
|
+
}
|
|
898
|
+
}
|
|
899
|
+
CONFIG
|
|
900
|
+
|
|
901
|
+
sample "Mon Dec 26 16:22:08 2016 9999" do
|
|
902
|
+
insist { subject.get("timestamp") } == "Mon Dec 26 16:22:08 2016"
|
|
903
|
+
insist { subject.get("level") } == "9999"
|
|
904
|
+
end
|
|
905
|
+
end
|
|
906
|
+
|
|
871
907
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-grok
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-03-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|