logstash-filter-grok 4.4.0 → 4.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -1
- data/docs/index.asciidoc +12 -1
- data/lib/logstash/filters/grok.rb +3 -0
- data/logstash-filter-grok.gemspec +1 -1
- data/spec/filters/grok_spec.rb +29 -7
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7da420422b6fab57d3744663967c3074c61527b7f3fdb21734743f86f7204cbc
|
|
4
|
+
data.tar.gz: 222fc8470f7baa66579e9d58caa6346e6ee14aa27119ba0fd4fbabe6c88497a7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8edfd6601703121eee96a189a3bb67153887779c4505361baf54cf12a01cb28391af8ed7a8b59bdfb873f6d9046da262a5ed22d18376379f9d87feab748a5e88
|
|
7
|
+
data.tar.gz: 2269f42b002e42637579d803c12fdb5a238c8904e6a36703e1c53a6e2c656b3407f8150567f355b84106613d8a1d410b665393c52db67547ca750ee4778e3e87
|
data/CHANGELOG.md
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
## 4.4.1
|
|
2
|
+
- Added preview of ECS v8 support using existing ECS v1 implementation [#175](https://github.com/logstash-plugins/logstash-filter-grok/pull/175)
|
|
3
|
+
|
|
1
4
|
## 4.4.0
|
|
2
5
|
- Feat: ECS compatibility support [#162](https://github.com/logstash-plugins/logstash-filter-grok/pull/162)
|
|
3
6
|
|
|
4
|
-
The filter supports using
|
|
7
|
+
The filter supports using built-in pattern definitions that are fully Elastic Common Schema (ECS) compliant.
|
|
5
8
|
|
|
6
9
|
## 4.3.0
|
|
7
10
|
- Added: added target support [#156](https://github.com/logstash-plugins/logstash-filter-grok/pull/156)
|
data/docs/index.asciidoc
CHANGED
|
@@ -235,7 +235,7 @@ parsing different things), then set this to false.
|
|
|
235
235
|
* Value type is <<string,string>>
|
|
236
236
|
* Supported values are:
|
|
237
237
|
** `disabled`: the plugin will load legacy (built-in) pattern definitions
|
|
238
|
-
** `v1`: all patterns provided by the plugin will use ECS compliant captures
|
|
238
|
+
** `v1`,`v8`: all patterns provided by the plugin will use ECS compliant captures
|
|
239
239
|
* Default value depends on which version of Logstash is running:
|
|
240
240
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
|
241
241
|
** Otherwise, the default value is `disabled`.
|
|
@@ -313,6 +313,17 @@ overwrite the `message` field with part of the match like so:
|
|
|
313
313
|
In this case, a line like `May 29 16:37:11 sadness logger: hello world`
|
|
314
314
|
will be parsed and `hello world` will overwrite the original message.
|
|
315
315
|
|
|
316
|
+
If you are using a field reference in `overwrite`, you must use the field
|
|
317
|
+
reference in the pattern. Example:
|
|
318
|
+
[source,ruby]
|
|
319
|
+
filter {
|
|
320
|
+
grok {
|
|
321
|
+
match => { "somefield" => "%{NUMBER} %{GREEDYDATA:[nested][field][test]}" }
|
|
322
|
+
overwrite => [ "[nested][field][test]" ]
|
|
323
|
+
}
|
|
324
|
+
}
|
|
325
|
+
|
|
326
|
+
|
|
316
327
|
[id="plugins-{type}s-{plugin}-pattern_definitions"]
|
|
317
328
|
===== `pattern_definitions`
|
|
318
329
|
|
|
@@ -332,6 +332,9 @@
|
|
|
332
332
|
patterns_path << LogStash::Patterns::Core.path # :legacy
|
|
333
333
|
when :v1
|
|
334
334
|
patterns_path << LogStash::Patterns::Core.path('ecs-v1')
|
|
335
|
+
when :v8
|
|
336
|
+
@logger.warn("ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the Elastic Common Schema becomes available, this plugin will need to be updated")
|
|
337
|
+
patterns_path << LogStash::Patterns::Core.path('ecs-v1')
|
|
335
338
|
else
|
|
336
339
|
fail(NotImplementedError, "ECS #{ecs_compatibility} is not supported by this plugin.")
|
|
337
340
|
end
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-filter-grok'
|
|
3
|
-
s.version = '4.4.
|
|
3
|
+
s.version = '4.4.1'
|
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
|
5
5
|
s.summary = "Parses unstructured event data into fields"
|
|
6
6
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/filters/grok_spec.rb
CHANGED
|
@@ -38,13 +38,15 @@ describe LogStash::Filters::Grok do
|
|
|
38
38
|
expect( event.get("pid") ).to eql "1713"
|
|
39
39
|
end
|
|
40
40
|
|
|
41
|
-
|
|
42
|
-
|
|
41
|
+
%w(v1 v8).each do |ecs_mode|
|
|
42
|
+
context "in ecs mode #{ecs_mode}" do
|
|
43
|
+
let(:config) { super().merge('ecs_compatibility' => ecs_mode) }
|
|
43
44
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
45
|
+
it "matches pattern" do
|
|
46
|
+
expect( event.get("host") ).to eql "hostname"=>"evita"
|
|
47
|
+
expect( event.get("process") ).to eql "name"=>"postfix/smtpd", "pid"=>1713
|
|
48
|
+
expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
|
|
49
|
+
end
|
|
48
50
|
end
|
|
49
51
|
end
|
|
50
52
|
|
|
@@ -701,7 +703,7 @@ describe LogStash::Filters::Grok do
|
|
|
701
703
|
expect( LogStash::Json.dump(event.get('username')) ).to eql "\"testuser\""
|
|
702
704
|
|
|
703
705
|
expect( event.to_json ).to match %r|"src_ip":"1.1.1.1"|
|
|
704
|
-
expect( event.to_json ).to match %r|"@timestamp":"
|
|
706
|
+
expect( event.to_json ).to match %r|"@timestamp":"#{Regexp.escape(event.get('@timestamp').to_s)}"|
|
|
705
707
|
expect( event.to_json ).to match %r|"port":"22"|
|
|
706
708
|
expect( event.to_json ).to match %r|"@version":"1"|
|
|
707
709
|
expect( event.to_json ).to match %r|"username"|i
|
|
@@ -769,6 +771,26 @@ describe LogStash::Filters::Grok do
|
|
|
769
771
|
end
|
|
770
772
|
end
|
|
771
773
|
|
|
774
|
+
describe LogStash::Filters::Grok do
|
|
775
|
+
|
|
776
|
+
subject(:grok_filter) { described_class.new(config) }
|
|
777
|
+
let(:config) { {} }
|
|
778
|
+
|
|
779
|
+
context 'when initialized with `ecs_compatibility => v8`' do
|
|
780
|
+
let(:config) { super().merge("ecs_compatibility" => "v8", "match" => ["message", "%{SYSLOGLINE}"]) }
|
|
781
|
+
context '#register' do
|
|
782
|
+
let(:logger_stub) { double('Logger').as_null_object }
|
|
783
|
+
before(:each) { allow_any_instance_of(described_class).to receive(:logger).and_return(logger_stub)}
|
|
784
|
+
|
|
785
|
+
it 'logs a helpful warning about the unreleased v8' do
|
|
786
|
+
grok_filter.register
|
|
787
|
+
|
|
788
|
+
expect(logger_stub).to have_received(:warn).with(a_string_including "preview of the unreleased ECS v8")
|
|
789
|
+
end
|
|
790
|
+
end
|
|
791
|
+
end
|
|
792
|
+
end
|
|
793
|
+
|
|
772
794
|
describe LogStash::Filters::Grok do
|
|
773
795
|
describe "(LEGACY)" do
|
|
774
796
|
describe "patterns in the 'patterns/' dir override core patterns" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-grok
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.4.
|
|
4
|
+
version: 4.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-11-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -161,8 +161,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
161
161
|
- !ruby/object:Gem::Version
|
|
162
162
|
version: '0'
|
|
163
163
|
requirements: []
|
|
164
|
-
|
|
165
|
-
rubygems_version: 2.6.13
|
|
164
|
+
rubygems_version: 3.1.6
|
|
166
165
|
signing_key:
|
|
167
166
|
specification_version: 4
|
|
168
167
|
summary: Parses unstructured event data into fields
|