logstash-filter-grok 4.4.0 → 4.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -1
- data/docs/index.asciidoc +12 -1
- data/lib/logstash/filters/grok.rb +3 -0
- data/logstash-filter-grok.gemspec +1 -1
- data/spec/filters/grok_spec.rb +29 -7
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7da420422b6fab57d3744663967c3074c61527b7f3fdb21734743f86f7204cbc
|
|
4
|
+
data.tar.gz: 222fc8470f7baa66579e9d58caa6346e6ee14aa27119ba0fd4fbabe6c88497a7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8edfd6601703121eee96a189a3bb67153887779c4505361baf54cf12a01cb28391af8ed7a8b59bdfb873f6d9046da262a5ed22d18376379f9d87feab748a5e88
|
|
7
|
+
data.tar.gz: 2269f42b002e42637579d803c12fdb5a238c8904e6a36703e1c53a6e2c656b3407f8150567f355b84106613d8a1d410b665393c52db67547ca750ee4778e3e87
|
data/CHANGELOG.md
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
## 4.4.1
|
|
2
|
+
- Added preview of ECS v8 support using existing ECS v1 implementation [#175](https://github.com/logstash-plugins/logstash-filter-grok/pull/175)
|
|
3
|
+
|
|
1
4
|
## 4.4.0
|
|
2
5
|
- Feat: ECS compatibility support [#162](https://github.com/logstash-plugins/logstash-filter-grok/pull/162)
|
|
3
6
|
|
|
4
|
-
The filter supports using
|
|
7
|
+
The filter supports using built-in pattern definitions that are fully Elastic Common Schema (ECS) compliant.
|
|
5
8
|
|
|
6
9
|
## 4.3.0
|
|
7
10
|
- Added: added target support [#156](https://github.com/logstash-plugins/logstash-filter-grok/pull/156)
|
data/docs/index.asciidoc
CHANGED
|
@@ -235,7 +235,7 @@ parsing different things), then set this to false.
|
|
|
235
235
|
* Value type is <<string,string>>
|
|
236
236
|
* Supported values are:
|
|
237
237
|
** `disabled`: the plugin will load legacy (built-in) pattern definitions
|
|
238
|
-
** `v1`: all patterns provided by the plugin will use ECS compliant captures
|
|
238
|
+
** `v1`,`v8`: all patterns provided by the plugin will use ECS compliant captures
|
|
239
239
|
* Default value depends on which version of Logstash is running:
|
|
240
240
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
241
241
|
** Otherwise, the default value is `disabled`.
|
|
@@ -313,6 +313,17 @@ overwrite the `message` field with part of the match like so:
|
|
|
313
313
|
In this case, a line like `May 29 16:37:11 sadness logger: hello world`
|
|
314
314
|
will be parsed and `hello world` will overwrite the original message.
|
|
315
315
|
|
|
316
|
+
If you are using a field reference in `overwrite`, you must use the field
|
|
317
|
+
reference in the pattern. Example:
|
|
318
|
+
[source,ruby]
|
|
319
|
+
filter {
|
|
320
|
+
grok {
|
|
321
|
+
match => { "somefield" => "%{NUMBER} %{GREEDYDATA:[nested][field][test]}" }
|
|
322
|
+
overwrite => [ "[nested][field][test]" ]
|
|
323
|
+
}
|
|
324
|
+
}
|
|
325
|
+
|
|
326
|
+
|
|
316
327
|
[id="plugins-{type}s-{plugin}-pattern_definitions"]
|
|
317
328
|
===== `pattern_definitions`
|
|
318
329
|
|
|
@@ -332,6 +332,9 @@
|
|
|
332
332
|
patterns_path << LogStash::Patterns::Core.path # :legacy
|
|
333
333
|
when :v1
|
|
334
334
|
patterns_path << LogStash::Patterns::Core.path('ecs-v1')
|
|
335
|
+
when :v8
|
|
336
|
+
@logger.warn("ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the Elastic Common Schema becomes available, this plugin will need to be updated")
|
|
337
|
+
patterns_path << LogStash::Patterns::Core.path('ecs-v1')
|
|
335
338
|
else
|
|
336
339
|
fail(NotImplementedError, "ECS #{ecs_compatibility} is not supported by this plugin.")
|
|
337
340
|
end
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-filter-grok'
|
|
3
|
-
s.version = '4.4.
|
|
3
|
+
s.version = '4.4.1'
|
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
|
5
5
|
s.summary = "Parses unstructured event data into fields"
|
|
6
6
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/grok_spec.rb
CHANGED
|
@@ -38,13 +38,15 @@ describe LogStash::Filters::Grok do
|
|
|
38
38
|
expect( event.get("pid") ).to eql "1713"
|
|
39
39
|
end
|
|
40
40
|
|
|
41
|
-
|
|
42
|
-
|
|
41
|
+
%w(v1 v8).each do |ecs_mode|
|
|
42
|
+
context "in ecs mode #{ecs_mode}" do
|
|
43
|
+
let(:config) { super().merge('ecs_compatibility' => ecs_mode) }
|
|
43
44
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
45
|
+
it "matches pattern" do
|
|
46
|
+
expect( event.get("host") ).to eql "hostname"=>"evita"
|
|
47
|
+
expect( event.get("process") ).to eql "name"=>"postfix/smtpd", "pid"=>1713
|
|
48
|
+
expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
|
|
49
|
+
end
|
|
48
50
|
end
|
|
49
51
|
end
|
|
50
52
|
|
|
@@ -701,7 +703,7 @@ describe LogStash::Filters::Grok do
|
|
|
701
703
|
expect( LogStash::Json.dump(event.get('username')) ).to eql "\"testuser\""
|
|
702
704
|
|
|
703
705
|
expect( event.to_json ).to match %r|"src_ip":"1.1.1.1"|
|
|
704
|
-
expect( event.to_json ).to match %r|"@timestamp":"
|
|
706
|
+
expect( event.to_json ).to match %r|"@timestamp":"#{Regexp.escape(event.get('@timestamp').to_s)}"|
|
|
705
707
|
expect( event.to_json ).to match %r|"port":"22"|
|
|
706
708
|
expect( event.to_json ).to match %r|"@version":"1"|
|
|
707
709
|
expect( event.to_json ).to match %r|"username"|i
|
|
@@ -769,6 +771,26 @@ describe LogStash::Filters::Grok do
|
|
|
769
771
|
end
|
|
770
772
|
end
|
|
771
773
|
|
|
774
|
+
describe LogStash::Filters::Grok do
|
|
775
|
+
|
|
776
|
+
subject(:grok_filter) { described_class.new(config) }
|
|
777
|
+
let(:config) { {} }
|
|
778
|
+
|
|
779
|
+
context 'when initialized with `ecs_compatibility => v8`' do
|
|
780
|
+
let(:config) { super().merge("ecs_compatibility" => "v8", "match" => ["message", "%{SYSLOGLINE}"]) }
|
|
781
|
+
context '#register' do
|
|
782
|
+
let(:logger_stub) { double('Logger').as_null_object }
|
|
783
|
+
before(:each) { allow_any_instance_of(described_class).to receive(:logger).and_return(logger_stub)}
|
|
784
|
+
|
|
785
|
+
it 'logs a helpful warning about the unreleased v8' do
|
|
786
|
+
grok_filter.register
|
|
787
|
+
|
|
788
|
+
expect(logger_stub).to have_received(:warn).with(a_string_including "preview of the unreleased ECS v8")
|
|
789
|
+
end
|
|
790
|
+
end
|
|
791
|
+
end
|
|
792
|
+
end
|
|
793
|
+
|
|
772
794
|
describe LogStash::Filters::Grok do
|
|
773
795
|
describe "(LEGACY)" do
|
|
774
796
|
describe "patterns in the 'patterns/' dir override core patterns" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-grok
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.4.
|
|
4
|
+
version: 4.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-11-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -161,8 +161,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
161
161
|
- !ruby/object:Gem::Version
|
|
162
162
|
version: '0'
|
|
163
163
|
requirements: []
|
|
164
|
-
|
|
165
|
-
rubygems_version: 2.6.13
|
|
164
|
+
rubygems_version: 3.1.6
|
|
166
165
|
signing_key:
|
|
167
166
|
specification_version: 4
|
|
168
167
|
summary: Parses unstructured event data into fields
|