logstash-filter-grok 4.0.3 → 4.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/docs/index.asciidoc +30 -6
- data/logstash-filter-grok.gemspec +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 16a3453f2bf94d8eb76f5cb9127750ef1e1f7b801d53265e1d862164645b6adf
|
|
4
|
+
data.tar.gz: d5f193a61bc62ab63ecab9b5f912fd98418b25ab045998f39769e9c50dcd7938
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b18bb87b598ff1310d0cdd7188f3ab2c07a4888dfb1846bc81d94501c13791e55e106e3d9b1b888bc48ccccfc99a5df40a84f52672d1282b4d1c76e92a4f14e3
|
|
7
|
+
data.tar.gz: 397b8f0c2acd590dfab7db3efc5f79579dc64ce39d0c9df99acc5752877db6cb1477abab689737a923eaf2d1a7adb1fc52305390fd1ed6408cda01158e6b3dc8
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 4.0.4
|
|
2
|
+
- Added info and link to documentation for logstash-filter-dissect as another option for extracting unstructured event data into fields
|
|
3
|
+
[#144](https://github.com/logstash-plugins/logstash-filter-grok/issues/144)
|
|
4
|
+
|
|
1
5
|
## 4.0.3
|
|
2
6
|
- Fixed memory leak when run on JRuby 1.x (Logstash 5.x) [#135](https://github.com/logstash-plugins/logstash-filter-grok/issues/135)
|
|
3
7
|
|
data/docs/index.asciidoc
CHANGED
|
@@ -35,6 +35,20 @@ your own trivially. (See the `patterns_dir` setting)
|
|
|
35
35
|
If you need help building patterns to match your logs, you will find the
|
|
36
36
|
<http://grokdebug.herokuapp.com> and <http://grokconstructor.appspot.com/> applications quite useful!
|
|
37
37
|
|
|
38
|
+
===== Grok or Dissect? Or both?
|
|
39
|
+
|
|
40
|
+
The {logstash-ref}/plugins-filters-dissect.html[`dissect`] filter plugin
|
|
41
|
+
is another way to extract unstructured event data into fields using delimiters.
|
|
42
|
+
|
|
43
|
+
Dissect differs from Grok in that it does not use regular expressions and is faster.
|
|
44
|
+
Dissect works well when data is reliably repeated.
|
|
45
|
+
Grok is a better choice when the structure of your text varies from line to line.
|
|
46
|
+
|
|
47
|
+
You can use both Dissect and Grok for a hybrid use case when a section of the
|
|
48
|
+
line is reliably repeated, but the entire line is not. The Dissect filter can
|
|
49
|
+
deconstruct the section of the line that is repeated. The Grok filter can process
|
|
50
|
+
the remaining field values with more regex predictability.
|
|
51
|
+
|
|
38
52
|
==== Grok Basics
|
|
39
53
|
|
|
40
54
|
Grok works by combining text patterns into something that matches your
|
|
@@ -206,21 +220,31 @@ If `true`, keep empty captures as event fields.
|
|
|
206
220
|
* Value type is <<hash,hash>>
|
|
207
221
|
* Default value is `{}`
|
|
208
222
|
|
|
209
|
-
A hash
|
|
223
|
+
A hash that defines the mapping of _where to look_, and with which patterns.
|
|
210
224
|
|
|
211
|
-
For example:
|
|
225
|
+
For example, the following will match an existing value in the `message` field for the given pattern, and if a match is found will add the field `duration` to the event with the captured value:
|
|
212
226
|
[source,ruby]
|
|
213
227
|
filter {
|
|
214
|
-
|
|
228
|
+
grok {
|
|
229
|
+
match => {
|
|
230
|
+
"message" => "Duration: %{NUMBER:duration}"
|
|
231
|
+
}
|
|
232
|
+
}
|
|
215
233
|
}
|
|
216
234
|
|
|
217
|
-
If you need to match multiple patterns against a single field, the value can be an array of patterns
|
|
235
|
+
If you need to match multiple patterns against a single field, the value can be an array of patterns:
|
|
218
236
|
[source,ruby]
|
|
219
237
|
filter {
|
|
220
|
-
grok {
|
|
238
|
+
grok {
|
|
239
|
+
match => {
|
|
240
|
+
"message" => [
|
|
241
|
+
"Duration: %{NUMBER:duration}",
|
|
242
|
+
"Speed: %{NUMBER:speed}"
|
|
243
|
+
]
|
|
244
|
+
}
|
|
245
|
+
}
|
|
221
246
|
}
|
|
222
247
|
|
|
223
|
-
|
|
224
248
|
[id="plugins-{type}s-{plugin}-named_captures_only"]
|
|
225
249
|
===== `named_captures_only`
|
|
226
250
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-grok'
|
|
4
|
-
s.version = '4.0.
|
|
4
|
+
s.version = '4.0.4'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Parses unstructured event data into fields"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-grok
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-10-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|