logstash-filter-grok 4.0.3 → 4.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/index.asciidoc +30 -6
- data/logstash-filter-grok.gemspec +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 16a3453f2bf94d8eb76f5cb9127750ef1e1f7b801d53265e1d862164645b6adf
|
|
4
|
+
data.tar.gz: d5f193a61bc62ab63ecab9b5f912fd98418b25ab045998f39769e9c50dcd7938
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b18bb87b598ff1310d0cdd7188f3ab2c07a4888dfb1846bc81d94501c13791e55e106e3d9b1b888bc48ccccfc99a5df40a84f52672d1282b4d1c76e92a4f14e3
|
|
7
|
+
data.tar.gz: 397b8f0c2acd590dfab7db3efc5f79579dc64ce39d0c9df99acc5752877db6cb1477abab689737a923eaf2d1a7adb1fc52305390fd1ed6408cda01158e6b3dc8
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 4.0.4
|
|
2
|
+
- Added info and link to documentation for logstash-filter-dissect as another option for extracting unstructured event data into fields
|
|
3
|
+
[#144](https://github.com/logstash-plugins/logstash-filter-grok/issues/144)
|
|
4
|
+
|
|
1
5
|
## 4.0.3
|
|
2
6
|
- Fixed memory leak when run on JRuby 1.x (Logstash 5.x) [#135](https://github.com/logstash-plugins/logstash-filter-grok/issues/135)
|
|
3
7
|
|
data/docs/index.asciidoc
CHANGED
|
@@ -35,6 +35,20 @@ your own trivially. (See the `patterns_dir` setting)
|
|
|
35
35
|
If you need help building patterns to match your logs, you will find the
|
|
36
36
|
<http://grokdebug.herokuapp.com> and <http://grokconstructor.appspot.com/> applications quite useful!
|
|
37
37
|
|
|
38
|
+
===== Grok or Dissect? Or both?
|
|
39
|
+
|
|
40
|
+
The {logstash-ref}/plugins-filters-dissect.html[`dissect`] filter plugin
|
|
41
|
+
is another way to extract unstructured event data into fields using delimiters.
|
|
42
|
+
|
|
43
|
+
Dissect differs from Grok in that it does not use regular expressions and is faster.
|
|
44
|
+
Dissect works well when data is reliably repeated.
|
|
45
|
+
Grok is a better choice when the structure of your text varies from line to line.
|
|
46
|
+
|
|
47
|
+
You can use both Dissect and Grok for a hybrid use case when a section of the
|
|
48
|
+
line is reliably repeated, but the entire line is not. The Dissect filter can
|
|
49
|
+
deconstruct the section of the line that is repeated. The Grok filter can process
|
|
50
|
+
the remaining field values with more regex predictability.
|
|
51
|
+
|
|
38
52
|
==== Grok Basics
|
|
39
53
|
|
|
40
54
|
Grok works by combining text patterns into something that matches your
|
|
@@ -206,21 +220,31 @@ If `true`, keep empty captures as event fields.
|
|
|
206
220
|
* Value type is <<hash,hash>>
|
|
207
221
|
* Default value is `{}`
|
|
208
222
|
|
|
209
|
-
A hash
|
|
223
|
+
A hash that defines the mapping of _where to look_, and with which patterns.
|
|
210
224
|
|
|
211
|
-
For example:
|
|
225
|
+
For example, the following will match an existing value in the `message` field for the given pattern, and if a match is found will add the field `duration` to the event with the captured value:
|
|
212
226
|
[source,ruby]
|
|
213
227
|
filter {
|
|
214
|
-
|
|
228
|
+
grok {
|
|
229
|
+
match => {
|
|
230
|
+
"message" => "Duration: %{NUMBER:duration}"
|
|
231
|
+
}
|
|
232
|
+
}
|
|
215
233
|
}
|
|
216
234
|
|
|
217
|
-
If you need to match multiple patterns against a single field, the value can be an array of patterns
|
|
235
|
+
If you need to match multiple patterns against a single field, the value can be an array of patterns:
|
|
218
236
|
[source,ruby]
|
|
219
237
|
filter {
|
|
220
|
-
grok {
|
|
238
|
+
grok {
|
|
239
|
+
match => {
|
|
240
|
+
"message" => [
|
|
241
|
+
"Duration: %{NUMBER:duration}",
|
|
242
|
+
"Speed: %{NUMBER:speed}"
|
|
243
|
+
]
|
|
244
|
+
}
|
|
245
|
+
}
|
|
221
246
|
}
|
|
222
247
|
|
|
223
|
-
|
|
224
248
|
[id="plugins-{type}s-{plugin}-named_captures_only"]
|
|
225
249
|
===== `named_captures_only`
|
|
226
250
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-grok'
|
|
4
|
-
s.version = '4.0.
|
|
4
|
+
s.version = '4.0.4'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Parses unstructured event data into fields"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-grok
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-10-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|