logstash-filter-kv 1.0.0 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +4 -4
- data/lib/logstash/filters/kv.rb +52 -4
- data/logstash-filter-kv.gemspec +3 -3
- data/spec/filters/kv_spec.rb +50 -2
- metadata +15 -23
- data/.gitignore +0 -4
- data/Rakefile +0 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8d91c83bc99167f5507bedad6cd5b45979c56ad1
|
|
4
|
+
data.tar.gz: 46c64b9469e5a4e12e5f96a6e39840fdb6c253f8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 49d79377ad19c67357c5739a249d21dc4d5253340dc75cb0241702d5f91f4232347ec894732910dc5cbe6ab1f49b2b88e3903c10d5e11747559fbbc965061d8a
|
|
7
|
+
data.tar.gz: 855dc47570be28ece7aecec466d80aece0ca744e5fc4ec9155095f1fbc57a41195e145ca7ac34b82545ddb722358962762288ee478a73b705fd6ff9de9638ead
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
# Logstash Plugin
|
|
2
2
|
|
|
3
|
-
This is a plugin for [Logstash](https://github.com/
|
|
3
|
+
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
|
4
4
|
|
|
5
5
|
It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
|
|
6
6
|
|
|
7
7
|
## Documentation
|
|
8
8
|
|
|
9
|
-
Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.
|
|
9
|
+
Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
|
|
10
10
|
|
|
11
11
|
- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
|
|
12
|
-
- For more asciidoc formatting tips, see the excellent reference here https://github.com/
|
|
12
|
+
- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
|
|
13
13
|
|
|
14
14
|
## Need Help?
|
|
15
15
|
|
|
@@ -83,4 +83,4 @@ Programming is not a required skill. Whatever you've seen about open source and
|
|
|
83
83
|
|
|
84
84
|
It is more important to the community that you are able to contribute.
|
|
85
85
|
|
|
86
|
-
For more information about contributing, see the [CONTRIBUTING](https://github.com/
|
|
86
|
+
For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
|
data/lib/logstash/filters/kv.rb
CHANGED
|
@@ -172,10 +172,49 @@ class LogStash::Filters::KV < LogStash::Filters::Base
|
|
|
172
172
|
# }
|
|
173
173
|
config :allow_duplicate_values, :validate => :boolean, :default => true
|
|
174
174
|
|
|
175
|
+
# A boolean specifying whether to include brackets as value `wrappers`
|
|
176
|
+
# (the default is true)
|
|
177
|
+
# [source,ruby]
|
|
178
|
+
# filter {
|
|
179
|
+
# kv {
|
|
180
|
+
# include_brackets => true
|
|
181
|
+
# }
|
|
182
|
+
# }
|
|
183
|
+
#
|
|
184
|
+
# For example, the result of this line:
|
|
185
|
+
# `bracketsone=(hello world) bracketstwo=[hello world]`
|
|
186
|
+
#
|
|
187
|
+
# will be:
|
|
188
|
+
# * bracketsone: hello world
|
|
189
|
+
# * bracketstwo: hello world
|
|
190
|
+
#
|
|
191
|
+
# instead of:
|
|
192
|
+
# * bracketsone: (hello
|
|
193
|
+
# * bracketstwo: [hello
|
|
194
|
+
config :include_brackets, :validate => :boolean, :default => true
|
|
195
|
+
|
|
196
|
+
# A boolean specifying whether to drill down into values
|
|
197
|
+
# and recursively get more key-value pairs from it.
|
|
198
|
+
# The extra key-value pairs will be stored as subkeys of the root key.
|
|
199
|
+
#
|
|
200
|
+
# Default is not to recursive values.
|
|
201
|
+
# [source,ruby]
|
|
202
|
+
# filter {
|
|
203
|
+
# kv {
|
|
204
|
+
# recursive => "true"
|
|
205
|
+
# }
|
|
206
|
+
# }
|
|
207
|
+
#
|
|
208
|
+
config :recursive, :validate => :boolean, :default => false
|
|
209
|
+
|
|
175
210
|
def register
|
|
176
211
|
@trim_re = Regexp.new("[#{@trim}]") if !@trim.nil?
|
|
177
212
|
@trimkey_re = Regexp.new("[#{@trimkey}]") if !@trimkey.nil?
|
|
178
|
-
|
|
213
|
+
|
|
214
|
+
valueRxString = "(?:\"([^\"]+)\"|'([^']+)'"
|
|
215
|
+
valueRxString += "|\\(([^\\)]+)\\)|\\[([^\\]]+)\\]" if @include_brackets
|
|
216
|
+
valueRxString += "|((?:\\\\ |[^"+@field_split+"])+))"
|
|
217
|
+
@scan_re = Regexp.new("((?:\\\\ |[^"+@field_split+@value_split+"])+)\\s*["+@value_split+"]\\s*"+valueRxString)
|
|
179
218
|
end # def register
|
|
180
219
|
|
|
181
220
|
def filter(event)
|
|
@@ -218,7 +257,7 @@ class LogStash::Filters::KV < LogStash::Filters::Base
|
|
|
218
257
|
|
|
219
258
|
private
|
|
220
259
|
def parse(text, event, kv_keys)
|
|
221
|
-
if !event =~ /[@
|
|
260
|
+
if !event =~ /[@value_split]/
|
|
222
261
|
return kv_keys
|
|
223
262
|
end
|
|
224
263
|
|
|
@@ -226,8 +265,8 @@ class LogStash::Filters::KV < LogStash::Filters::Base
|
|
|
226
265
|
include_keys = @include_keys.map{|key| event.sprintf(key)}
|
|
227
266
|
exclude_keys = @exclude_keys.map{|key| event.sprintf(key)}
|
|
228
267
|
|
|
229
|
-
text.scan(@scan_re) do |key, v1, v2, v3|
|
|
230
|
-
value = v1 || v2 || v3
|
|
268
|
+
text.scan(@scan_re) do |key, v1, v2, v3, v4, v5|
|
|
269
|
+
value = v1 || v2 || v3 || v4 || v5
|
|
231
270
|
key = @trimkey.nil? ? key : key.gsub(@trimkey_re, "")
|
|
232
271
|
|
|
233
272
|
# Bail out as per the values of include_keys and exclude_keys
|
|
@@ -242,6 +281,15 @@ class LogStash::Filters::KV < LogStash::Filters::Base
|
|
|
242
281
|
# option is set to true.
|
|
243
282
|
next if not @allow_duplicate_values and kv_keys.has_key?(key) and kv_keys[key].include?(value)
|
|
244
283
|
|
|
284
|
+
# recursively get more kv pairs from the value
|
|
285
|
+
if @recursive and value =~ /[@value_split]/
|
|
286
|
+
innerKv = Hash.new
|
|
287
|
+
innerKv = parse(value, event, innerKv)
|
|
288
|
+
if innerKv.length > 0
|
|
289
|
+
value = innerKv
|
|
290
|
+
end
|
|
291
|
+
end
|
|
292
|
+
|
|
245
293
|
if kv_keys.has_key?(key)
|
|
246
294
|
if kv_keys[key].is_a? Array
|
|
247
295
|
kv_keys[key].push(value)
|
data/logstash-filter-kv.gemspec
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-filter-kv'
|
|
4
|
-
s.version = '
|
|
4
|
+
s.version = '2.0.0'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "This filter helps automatically parse messages (or specific event fields) which are of the 'foo=bar' variety."
|
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
|
@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
|
|
|
11
11
|
s.require_paths = ["lib"]
|
|
12
12
|
|
|
13
13
|
# Files
|
|
14
|
-
s.files =
|
|
14
|
+
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
|
|
15
15
|
|
|
16
16
|
# Tests
|
|
17
17
|
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
|
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
|
|
|
20
20
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
|
21
21
|
|
|
22
22
|
# Gem dependencies
|
|
23
|
-
s.add_runtime_dependency "logstash-core",
|
|
23
|
+
s.add_runtime_dependency "logstash-core", "~> 2.0.0.snapshot"
|
|
24
24
|
|
|
25
25
|
s.add_development_dependency 'logstash-devutils'
|
|
26
26
|
end
|
data/spec/filters/kv_spec.rb
CHANGED
|
@@ -12,14 +12,32 @@ describe LogStash::Filters::KV do
|
|
|
12
12
|
}
|
|
13
13
|
CONFIG
|
|
14
14
|
|
|
15
|
-
sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world'" do
|
|
15
|
+
sample "hello=world foo=bar baz=fizz doublequoted=\"hello world\" singlequoted='hello world' bracketsone=(hello world) bracketstwo=[hello world]" do
|
|
16
16
|
insist { subject["hello"] } == "world"
|
|
17
17
|
insist { subject["foo"] } == "bar"
|
|
18
18
|
insist { subject["baz"] } == "fizz"
|
|
19
19
|
insist { subject["doublequoted"] } == "hello world"
|
|
20
20
|
insist { subject["singlequoted"] } == "hello world"
|
|
21
|
+
insist { subject["bracketsone"] } == "hello world"
|
|
22
|
+
insist { subject["bracketstwo"] } == "hello world"
|
|
21
23
|
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
describe "test spaces attached to the field_split" do
|
|
27
|
+
config <<-CONFIG
|
|
28
|
+
filter {
|
|
29
|
+
kv { }
|
|
30
|
+
}
|
|
31
|
+
CONFIG
|
|
22
32
|
|
|
33
|
+
sample "hello = world foo =bar baz= fizz doublequoted = \"hello world\" singlequoted= 'hello world' brackets =(hello world)" do
|
|
34
|
+
insist { subject["hello"] } == "world"
|
|
35
|
+
insist { subject["foo"] } == "bar"
|
|
36
|
+
insist { subject["baz"] } == "fizz"
|
|
37
|
+
insist { subject["doublequoted"] } == "hello world"
|
|
38
|
+
insist { subject["singlequoted"] } == "hello world"
|
|
39
|
+
insist { subject["brackets"] } == "hello world"
|
|
40
|
+
end
|
|
23
41
|
end
|
|
24
42
|
|
|
25
43
|
describe "LOGSTASH-624: allow escaped space in key or value " do
|
|
@@ -42,12 +60,13 @@ describe LogStash::Filters::KV do
|
|
|
42
60
|
}
|
|
43
61
|
CONFIG
|
|
44
62
|
|
|
45
|
-
sample "hello:=world foo:bar baz=:fizz doublequoted:\"hello world\" singlequoted:'hello world'" do
|
|
63
|
+
sample "hello:=world foo:bar baz=:fizz doublequoted:\"hello world\" singlequoted:'hello world' brackets:(hello world)" do
|
|
46
64
|
insist { subject["hello"] } == "=world"
|
|
47
65
|
insist { subject["foo"] } == "bar"
|
|
48
66
|
insist { subject["baz="] } == "fizz"
|
|
49
67
|
insist { subject["doublequoted"] } == "hello world"
|
|
50
68
|
insist { subject["singlequoted"] } == "hello world"
|
|
69
|
+
insist { subject["brackets"] } == "hello world"
|
|
51
70
|
end
|
|
52
71
|
|
|
53
72
|
end
|
|
@@ -67,7 +86,36 @@ describe LogStash::Filters::KV do
|
|
|
67
86
|
insist { subject["singlequoted"] } == "hello world"
|
|
68
87
|
insist { subject["foo12"] } == "bar12"
|
|
69
88
|
end
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
describe "test include_brackets is false" do
|
|
92
|
+
config <<-CONFIG
|
|
93
|
+
filter {
|
|
94
|
+
kv { include_brackets => "false" }
|
|
95
|
+
}
|
|
96
|
+
CONFIG
|
|
97
|
+
|
|
98
|
+
sample "bracketsone=(hello world) bracketstwo=[hello world]" do
|
|
99
|
+
insist { subject["bracketsone"] } == "(hello"
|
|
100
|
+
insist { subject["bracketstwo"] } == "[hello"
|
|
101
|
+
end
|
|
102
|
+
end
|
|
70
103
|
|
|
104
|
+
describe "test recursive" do
|
|
105
|
+
config <<-CONFIG
|
|
106
|
+
filter {
|
|
107
|
+
kv {
|
|
108
|
+
recursive => 'true'
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
CONFIG
|
|
112
|
+
|
|
113
|
+
sample 'IKE="Quick Mode completion" IKE\ IDs = (subnet= x.x.x.x mask= 255.255.255.254 and host=y.y.y.y)' do
|
|
114
|
+
insist { subject["IKE"] } == 'Quick Mode completion'
|
|
115
|
+
insist { subject['IKE\ IDs']['subnet'] } == 'x.x.x.x'
|
|
116
|
+
insist { subject['IKE\ IDs']['mask'] } == '255.255.255.254'
|
|
117
|
+
insist { subject['IKE\ IDs']['host'] } == 'y.y.y.y'
|
|
118
|
+
end
|
|
71
119
|
end
|
|
72
120
|
|
|
73
121
|
describe "delimited fields should override space default (reported by LOGSTASH-733)" do
|
metadata
CHANGED
|
@@ -1,63 +1,55 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-kv
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-09-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
|
-
name: logstash-core
|
|
15
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
16
|
-
requirements:
|
|
17
|
-
- - '>='
|
|
18
|
-
- !ruby/object:Gem::Version
|
|
19
|
-
version: 1.4.0
|
|
20
|
-
- - <
|
|
21
|
-
- !ruby/object:Gem::Version
|
|
22
|
-
version: 2.0.0
|
|
23
14
|
requirement: !ruby/object:Gem::Requirement
|
|
24
15
|
requirements:
|
|
25
|
-
- -
|
|
26
|
-
- !ruby/object:Gem::Version
|
|
27
|
-
version: 1.4.0
|
|
28
|
-
- - <
|
|
16
|
+
- - ~>
|
|
29
17
|
- !ruby/object:Gem::Version
|
|
30
|
-
version: 2.0.0
|
|
18
|
+
version: 2.0.0.snapshot
|
|
19
|
+
name: logstash-core
|
|
31
20
|
prerelease: false
|
|
32
21
|
type: :runtime
|
|
33
|
-
- !ruby/object:Gem::Dependency
|
|
34
|
-
name: logstash-devutils
|
|
35
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
36
23
|
requirements:
|
|
37
|
-
- -
|
|
24
|
+
- - ~>
|
|
38
25
|
- !ruby/object:Gem::Version
|
|
39
|
-
version:
|
|
26
|
+
version: 2.0.0.snapshot
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
40
28
|
requirement: !ruby/object:Gem::Requirement
|
|
41
29
|
requirements:
|
|
42
30
|
- - '>='
|
|
43
31
|
- !ruby/object:Gem::Version
|
|
44
32
|
version: '0'
|
|
33
|
+
name: logstash-devutils
|
|
45
34
|
prerelease: false
|
|
46
35
|
type: :development
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - '>='
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
47
41
|
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
|
48
42
|
email: info@elastic.co
|
|
49
43
|
executables: []
|
|
50
44
|
extensions: []
|
|
51
45
|
extra_rdoc_files: []
|
|
52
46
|
files:
|
|
53
|
-
- .gitignore
|
|
54
47
|
- CHANGELOG.md
|
|
55
48
|
- CONTRIBUTORS
|
|
56
49
|
- Gemfile
|
|
57
50
|
- LICENSE
|
|
58
51
|
- NOTICE.TXT
|
|
59
52
|
- README.md
|
|
60
|
-
- Rakefile
|
|
61
53
|
- lib/logstash/filters/kv.rb
|
|
62
54
|
- logstash-filter-kv.gemspec
|
|
63
55
|
- spec/filters/kv_spec.rb
|
|
@@ -83,7 +75,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
83
75
|
version: '0'
|
|
84
76
|
requirements: []
|
|
85
77
|
rubyforge_project:
|
|
86
|
-
rubygems_version: 2.
|
|
78
|
+
rubygems_version: 2.4.8
|
|
87
79
|
signing_key:
|
|
88
80
|
specification_version: 4
|
|
89
81
|
summary: This filter helps automatically parse messages (or specific event fields) which are of the 'foo=bar' variety.
|
data/.gitignore
DELETED