logstash-filter-kv 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    YTZmNmRlZDE1NWJmNmViNjYwZDE0NjY5ZmY2Mjk0MWEzNjBhODZkYQ==
+  data.tar.gz: !binary |-
+    MGY0OTJiMWNlNDQ5ZjJlZmM5YzczODI5ZTEwZjMwZjBiNGY5MjZkNA==
+SHA512:
+  metadata.gz: !binary |-
+    NzgxZTMxNzIzNzk1OTc4NGFhYTQ1MTVmYzJjZmE4MzMyMGFmMGVhYjk2M2Rm
+    MGUyMjM4NGM1MmQ5MWJhNGJjOTQxYmI5MzU0M2JlYjI0MmYxNzMwZTg3Mjdh
+    ZWMxNmI0ZjlhMDE0YTY2YTUwM2IyYzY0NzIxYWU5OWY2ZTA3ZmI=
+  data.tar.gz: !binary |-
+    MDE3MzIzOGQ1ZGJmNmJjNzNjZjgzZjZjYzg0MWRmNTNhMjU0NzZjMTJjY2M4
+    MTZiZDRlNTUwYzQ4ODllZGNiZjUzNDRiYWVjODlhNTI5Mzg2ZjNmZjVlZThh
+    Y2RiMjNjMjYyMmVlNjRmODE3NDk4NTQyZDI4NWFiNGQxZGY5NWQ=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/kv.rb

@@ -0,0 +1,237 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+# This filter helps automatically parse messages (or specific event fields)
+# which are of the 'foo=bar' variety.
+#
+# For example, if you have a log message which contains 'ip=1.2.3.4
+# error=REFUSED', you can parse those automatically by configuring:
+#
+#     filter {
+#       kv { }
+#     }
+#
+# The above will result in a message of "ip=1.2.3.4 error=REFUSED" having
+# the fields:
+#
+# * ip: 1.2.3.4
+# * error: REFUSED
+#
+# This is great for postfix, iptables, and other types of logs that
+# tend towards 'key=value' syntax.
+#
+# You can configure any arbitrary strings to split your data on,
+# in case your data is not structured using '=' signs and whitespace.
+# For example, this filter can also be used to parse query parameters like
+# 'foo=bar&baz=fizz' by setting the `field_split` parameter to "&".
+class LogStash::Filters::KV < LogStash::Filters::Base
+  config_name "kv"
+  milestone 2
+
+  # A string of characters to trim from the value. This is useful if your
+  # values are wrapped in brackets or are terminated with commas (like postfix
+  # logs).
+  #
+  # These characters form a regex character class and thus you must escape special regex
+  # characters like '[' or ']' using '\'.
+  #
+  # For example, to strip '<', '>', '[', ']' and ',' characters from values:
+  #
+  #     filter {
+  #       kv {
+  #         trim => "<>\[\],"
+  #       }
+  #     }
+  config :trim, :validate => :string
+
+  # A string of characters to trim from the key. This is useful if your
+  # keys are wrapped in brackets or start with space.
+  #
+  # These characters form a regex character class and thus you must escape special regex
+  # characters like '[' or ']' using '\'.
+  #
+  # For example, to strip '<' '>' '[' ']' and ',' characters from keys:
+  #
+  #     filter {
+  #       kv {
+  #         trimkey => "<>\[\],"
+  #       }
+  #     }
+  config :trimkey, :validate => :string
+
+  # A string of characters to use as delimiters for parsing out key-value pairs.
+  #
+  # These characters form a regex character class and thus you must escape special regex
+  # characters like '[' or ']' using '\'.
+  #
+  # #### Example with URL Query Strings
+  #
+  # For example, to split out the args from a url query string such as
+  # '?pin=12345~0&d=123&e=foo@bar.com&oq=bobo&ss=12345':
+  #
+  #     filter {
+  #       kv {
+  #         field_split => "&?"
+  #       }
+  #     }
+  #
+  # The above splits on both "&" and "?" characters, giving you the following
+  # fields:
+  #
+  # * pin: 12345~0
+  # * d: 123
+  # * e: foo@bar.com
+  # * oq: bobo
+  # * ss: 12345
+  config :field_split, :validate => :string, :default => ' '
+
+
+  # A string of characters to use as delimiters for identifying key-value relations.
+  #
+  # These characters form a regex character class and thus you must escape special regex
+  # characters like '[' or ']' using '\'.
+  #
+  # For example, to identify key-values such as
+  # 'key1:value1 key2:value2':
+  #
+  #     filter { kv { value_split => ":" } }
+  config :value_split, :validate => :string, :default => '='
+
+  # A string to prepend to all of the extracted keys.
+  #
+  # For example, to prepend arg_ to all keys:
+  #
+  #     filter { kv { prefix => "arg_" } }
+  config :prefix, :validate => :string, :default => ''
+
+  # The field to perform 'key=value' searching on
+  #
+  # For example, to process the `not_the_message` field:
+  #
+  #     filter { kv { source => "not_the_message" } }
+  config :source, :validate => :string, :default => "message"
+
+  # The name of the container to put all of the key-value pairs into.
+  #
+  # If this setting is omitted, fields will be written to the root of the
+  # event, as individual fields.
+  #
+  # For example, to place all keys into the event field kv:
+  #
+  #     filter { kv { target => "kv" } }
+  config :target, :validate => :string
+
+  # An array specifying the parsed keys which should be added to the event.
+  # By default all keys will be added.
+  #
+  # For example, consider a source like "Hey, from=<abc>, to=def foo=bar". 
+  # To include "from" and "to", but exclude the "foo" key, you could use this configuration:
+  #     filter {
+  #       kv {
+  #         include_keys => [ "from", "to" ]
+  #       }
+  #     }
+  config :include_keys, :validate => :array, :default => []
+
+  # An array specifying the parsed keys which should not be added to the event.
+  # By default no keys will be excluded.
+  #
+  # For example, consider a source like "Hey, from=<abc>, to=def foo=bar". 
+  # To exclude "from" and "to", but retain the "foo" key, you could use this configuration:
+  #     filter {
+  #       kv {
+  #         exclude_keys => [ "from", "to" ]
+  #       }
+  #     }
+  config :exclude_keys, :validate => :array, :default => []
+
+  # A hash specifying the default keys and their values which should be added to the event
+  # in case these keys do not exist in the source field being parsed.
+  #
+  #     filter {
+  #       kv {
+  #         default_keys => [ "from", "logstash@example.com",
+  #                          "to", "default@dev.null" ]
+  #       }
+  #     }
+  config :default_keys, :validate => :hash, :default => {}
+
+  def register
+    @trim_re = Regexp.new("[#{@trim}]") if !@trim.nil?
+    @trimkey_re = Regexp.new("[#{@trimkey}]") if !@trimkey.nil?
+    @scan_re = Regexp.new("((?:\\\\ |[^"+@field_split+@value_split+"])+)["+@value_split+"](?:\"([^\"]+)\"|'([^']+)'|((?:\\\\ |[^"+@field_split+"])+))")
+  end # def register
+
+  def filter(event)
+    return unless filter?(event)
+
+    kv = Hash.new
+
+    value = event[@source]
+
+    case value
+      when nil; # Nothing to do
+      when String; kv = parse(value, event, kv)
+      when Array; value.each { |v| kv = parse(v, event, kv) }
+      else
+        @logger.warn("kv filter has no support for this type of data",
+                     :type => value.class, :value => value)
+    end # case value
+
+    # Add default key-values for missing keys
+    kv = @default_keys.merge(kv)
+
+    # If we have any keys, create/append the hash
+    if kv.length > 0
+      if @target.nil?
+        # Default is to write to the root of the event.
+        dest = event.to_hash
+      else
+        if !event[@target].is_a?(Hash)
+          @logger.debug("Overwriting existing target field", :target => @target)
+          dest = event[@target] = {}
+        else
+          dest = event[@target]
+        end
+      end
+
+      dest.merge!(kv)
+      filter_matched(event)
+    end
+  end # def filter
+
+  private
+  def parse(text, event, kv_keys)
+    if !event =~ /[@field_split]/
+      return kv_keys
+    end
+    
+    # Interpret dynamic keys for @include_keys and @exclude_keys
+    include_keys = @include_keys.map{|key| event.sprintf(key)}
+    exclude_keys = @exclude_keys.map{|key| event.sprintf(key)}
+    
+    text.scan(@scan_re) do |key, v1, v2, v3|
+      value = v1 || v2 || v3
+      key = @trimkey.nil? ? key : key.gsub(@trimkey_re, "")
+      
+      # Bail out as per the values of include_keys and exclude_keys
+      next if not include_keys.empty? and not include_keys.include?(key)
+      next if exclude_keys.include?(key)
+
+      key = event.sprintf(@prefix) + key
+
+      value = @trim.nil? ? value : value.gsub(@trim_re, "")
+      if kv_keys.has_key?(key)
+        if kv_keys[key].is_a? Array
+          kv_keys[key].push(value)
+        else
+          kv_keys[key] = [kv_keys[key], value]
+        end
+      else
+        kv_keys[key] = value
+      end
+    end
+    return kv_keys
+  end
+end # class LogStash::Filters::KV

data/logstash-filter-kv.gemspec

@@ -0,0 +1,26 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-kv'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "This filter helps automatically parse messages (or specific event fields) which are of the 'foo=bar' variety."
+  s.description     = "This filter helps automatically parse messages (or specific event fields) which are of the 'foo=bar' variety."
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/kv_spec.rb

@@ -0,0 +1,436 @@
+require "spec_helper"
+require "logstash/filters/kv"
+
+describe LogStash::Filters::KV do
+
+  describe "defaults" do
+    # The logstash config goes here.
+    # At this time, only filters are supported.
+    config <<-CONFIG
+      filter {
+        kv { }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["hello"] } == "world"
+      insist { subject["foo"] } == "bar"
+      insist { subject["baz"] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+      insist { subject["singlequoted"] } == "hello world"
+    end
+
+  end
+
+   describe "LOGSTASH-624: allow escaped space in key or value " do
+    config <<-CONFIG
+      filter {
+        kv { value_split => ':' }
+      }
+    CONFIG
+
+    sample 'IKE:=Quick\ Mode\ completion IKE\ IDs:=subnet:\ x.x.x.x\ (mask=\ 255.255.255.254)\ and\ host:\ y.y.y.y' do
+      insist { subject["IKE"] } == '=Quick\ Mode\ completion'
+      insist { subject['IKE\ IDs'] } == '=subnet:\ x.x.x.x\ (mask=\ 255.255.255.254)\ and\ host:\ y.y.y.y'
+    end
+  end
+
+  describe "test value_split" do
+    config <<-CONFIG
+      filter {
+        kv { value_split => ':' }
+      }
+    CONFIG
+
+    sample "hello:=world foo:bar baz=:fizz doublequoted:\"hello world\" singlequoted:'hello world'" do
+      insist { subject["hello"] } == "=world"
+      insist { subject["foo"] } == "bar"
+      insist { subject["baz="] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+      insist { subject["singlequoted"] } == "hello world"
+    end
+
+  end
+
+  describe "test field_split" do
+    config <<-CONFIG
+      filter {
+        kv { field_split => '?&' }
+      }
+    CONFIG
+
+    sample "?hello=world&foo=bar&baz=fizz&doublequoted=\"hello world\"&singlequoted='hello world'&ignoreme&foo12=bar12" do
+      insist { subject["hello"] } == "world"
+      insist { subject["foo"] } == "bar"
+      insist { subject["baz"] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+      insist { subject["singlequoted"] } == "hello world"
+      insist { subject["foo12"] } == "bar12"
+    end
+
+  end
+
+  describe  "delimited fields should override space default (reported by LOGSTASH-733)" do
+    config <<-CONFIG
+      filter {
+        kv { field_split => "|" }
+      }
+    CONFIG
+
+    sample "field1=test|field2=another test|field3=test3" do
+      insist { subject["field1"] } == "test"
+      insist { subject["field2"] } == "another test"
+      insist { subject["field3"] } == "test3"
+    end
+  end
+
+  describe "test prefix" do
+    config <<-CONFIG
+      filter {
+        kv { prefix => '__' }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["__hello"] } == "world"
+      insist { subject["__foo"] } == "bar"
+      insist { subject["__baz"] } == "fizz"
+      insist { subject["__doublequoted"] } == "hello world"
+      insist { subject["__singlequoted"] } == "hello world"
+    end
+
+  end
+
+  describe "speed test", :performance => true do
+    count = 10000 + rand(3000)
+    config <<-CONFIG
+      input {
+        generator {
+          count => #{count}
+          type => foo
+          message => "hello=world bar='baz fizzle'"
+        }
+      }
+
+      filter {
+        kv { }
+      }
+
+      output  {
+        null { }
+      }
+    CONFIG
+
+    start = Time.now
+    agent do
+      duration = (Time.now - start)
+      puts "filters/kv rate: #{"%02.0f/sec" % (count / duration)}, elapsed: #{duration}s"
+    end
+  end
+
+  describe "add_tag" do
+    context "should activate when successful" do
+      config <<-CONFIG
+        filter {
+          kv { add_tag => "hello" }
+        }
+      CONFIG
+
+      sample "hello=world" do
+        insist { subject["hello"] } == "world"
+        insist { subject["tags"] }.include?("hello")
+      end
+    end
+    context "should not activate when failing" do
+      config <<-CONFIG
+        filter {
+          kv { add_tag => "hello" }
+        }
+      CONFIG
+
+      sample "this is not key value" do
+        insist { subject["tags"] }.nil?
+      end
+    end
+  end
+
+  describe "add_field" do
+    context "should activate when successful" do
+      config <<-CONFIG
+        filter {
+          kv { add_field => [ "whoa", "fancypants" ] }
+        }
+      CONFIG
+
+      sample "hello=world" do
+        insist { subject["hello"] } == "world"
+        insist { subject["whoa"] } == "fancypants"
+      end
+    end
+
+    context "should not activate when failing" do
+      config <<-CONFIG
+        filter {
+          kv { add_tag => "hello" }
+        }
+      CONFIG
+
+      sample "this is not key value" do
+        reject { subject["whoa"] } == "fancypants"
+      end
+    end
+  end
+
+  #New tests
+  describe "test target" do
+    config <<-CONFIG
+      filter {
+        kv { target => 'kv' }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["kv"]["hello"] } == "world"
+      insist { subject["kv"]["foo"] } == "bar"
+      insist { subject["kv"]["baz"] } == "fizz"
+      insist { subject["kv"]["doublequoted"] } == "hello world"
+      insist { subject["kv"]["singlequoted"] } == "hello world"
+      insist {subject["kv"].count } == 5
+    end
+
+  end
+
+  describe "test empty target" do
+    config <<-CONFIG
+      filter {
+        kv { target => 'kv' }
+      }
+    CONFIG
+
+    sample "hello:world:foo:bar:baz:fizz" do
+      insist { subject["kv"] } == nil
+    end
+  end
+
+
+  describe "test data from specific sub source" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "data"
+        }
+      }
+    CONFIG
+    sample("data" => "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'") do
+      insist { subject["hello"] } == "world"
+      insist { subject["foo"] } == "bar"
+      insist { subject["baz"] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+      insist { subject["singlequoted"] } == "hello world"
+    end
+  end
+
+  describe "test data from specific top source" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "@data"
+        }
+      }
+    CONFIG
+    sample({"@data" => "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'"}) do
+      insist { subject["hello"] } == "world"
+      insist { subject["foo"] } == "bar"
+      insist { subject["baz"] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+      insist { subject["singlequoted"] } == "hello world"
+    end
+  end
+
+
+  describe "test data from specific sub source and target" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "data"
+          target => "kv"
+        }
+      }
+    CONFIG
+    sample("data" => "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'") do
+      insist { subject["kv"]["hello"] } == "world"
+      insist { subject["kv"]["foo"] } == "bar"
+      insist { subject["kv"]["baz"] } == "fizz"
+      insist { subject["kv"]["doublequoted"] } == "hello world"
+      insist { subject["kv"]["singlequoted"] } == "hello world"
+      insist { subject["kv"].count } == 5
+    end
+  end
+
+  describe "test data from nil sub source, should not issue a warning" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "non-exisiting-field"
+          target => "kv"
+        }
+      }
+    CONFIG
+    sample "" do
+      insist { subject["non-exisiting-field"] } == nil
+      insist { subject["kv"] } == nil
+    end
+  end
+
+  describe "test include_keys" do
+    config <<-CONFIG
+      filter {
+        kv {
+          include_keys => [ "foo", "singlequoted" ]
+        }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["foo"] } == "bar"
+      insist { subject["singlequoted"] } == "hello world"
+    end
+  end
+
+  describe "test exclude_keys" do
+    config <<-CONFIG
+      filter {
+        kv {
+          exclude_keys => [ "foo", "singlequoted" ]
+        }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["hello"] } == "world"
+      insist { subject["baz"] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+    end
+  end
+
+  describe "test include_keys with prefix" do
+    config <<-CONFIG
+      filter {
+        kv {
+          include_keys => [ "foo", "singlequoted" ]
+          prefix       => "__"
+        }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["__foo"] } == "bar"
+      insist { subject["__singlequoted"] } == "hello world"
+    end
+  end
+
+  describe "test exclude_keys with prefix" do
+    config <<-CONFIG
+      filter {
+        kv {
+          exclude_keys => [ "foo", "singlequoted" ]
+          prefix       => "__"
+        }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["__hello"] } == "world"
+      insist { subject["__baz"] } == "fizz"
+      insist { subject["__doublequoted"] } == "hello world"
+    end
+  end
+  
+  describe "test include_keys with dynamic key" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "data"
+          include_keys => [ "%{key}"]
+        }
+      }
+    CONFIG
+    
+    sample({"data" => "foo=bar baz=fizz", "key" => "foo"}) do
+      insist { subject["foo"] } == "bar"
+      insist { subject["baz"] } == nil
+    end
+  end
+  
+  describe "test exclude_keys with dynamic key" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "data"
+          exclude_keys => [ "%{key}"]
+        }
+      }
+    CONFIG
+    
+    sample({"data" => "foo=bar baz=fizz", "key" => "foo"}) do
+      insist { subject["foo"] } == nil
+      insist { subject["baz"] } == "fizz"
+    end
+  end
+
+  describe "test include_keys and exclude_keys" do
+    config <<-CONFIG
+      filter {
+        kv {
+          # This should exclude everything as a result of both settings.
+          include_keys => [ "foo", "singlequoted" ]
+          exclude_keys => [ "foo", "singlequoted" ]
+        }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      %w(hello foo baz doublequoted singlequoted).each do |field|
+        reject { subject }.include?(field)
+      end
+    end
+  end
+
+  describe "test default_keys" do
+    config <<-CONFIG
+      filter {
+        kv {
+          default_keys => [ "foo", "xxx",
+                            "goo", "yyy" ]
+        }
+      }
+    CONFIG
+
+    sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
+      insist { subject["hello"] } == "world"
+      insist { subject["foo"] } == "bar"
+      insist { subject["goo"] } == "yyy"
+      insist { subject["baz"] } == "fizz"
+      insist { subject["doublequoted"] } == "hello world"
+      insist { subject["singlequoted"] } == "hello world"
+    end
+  end
+
+  describe "overwriting a string field (often the source)" do
+    config <<-CONFIG
+      filter {
+        kv {
+          source => "happy"
+          target => "happy"
+        }
+      }
+    CONFIG
+
+    sample("happy" => "foo=bar baz=fizz") do
+      insist { subject["[happy][foo]"] } == "bar"
+      insist { subject["[happy][baz]"] } == "fizz"
+    end
+
+  end
+
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-kv
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+description: This filter helps automatically parse messages (or specific event fields)
+  which are of the 'foo=bar' variety.
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Rakefile
+- lib/logstash/filters/kv.rb
+- logstash-filter-kv.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/kv_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: This filter helps automatically parse messages (or specific event fields)
+  which are of the 'foo=bar' variety.
+test_files:
+- spec/filters/kv_spec.rb