logstash-filter-multiline 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    Yjg5MGE4OTE3MmE0MzUwNWNkYmNjZDllYzYwNGJiNzFmNTJhZjBkOQ==
+  data.tar.gz: !binary |-
+    YWZjYTY3MjIxMmMzOGI3OTE0N2ExMTk2NWI3ZjAyYTYxZWZjYWZlNA==
+SHA512:
+  metadata.gz: !binary |-
+    MDYyMzgwYTllZWY1NjM2ZDY2N2YwOTQwZjVmMWE1MGNjYzI4ODM0YjYwZWRi
+    ZDAzNGJhMjZiM2NkNzUyMGI4YTczNWMzMWM0YTI1NjRhY2RlM2EyZWZjNGI5
+    YTVkYmI0MWVmYzA3NGJkM2ZhMThhZDFlZTkxMzAwNGU0MjY5N2Y=
+  data.tar.gz: !binary |-
+    ZjdhOGRjOTk5NTUzYTAxZjRiODZkN2VmYmFjNjUyYjA1NjZiM2U0N2I4YTg3
+    ZjEyZWI0YTQ2NTdlYzEzMzNjYjgwNjQxZjYyYTg1ZmNkNjRhYzc1M2NiNDI0
+    MDUwOTNiNzJlMjY1M2Q0Mzk0ZThjNmY1ZTJjZDNjYzc3OGI5MWE=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012-2014 Elasticsearch <http://www.elasticsearch.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/multiline.rb

@@ -0,0 +1,280 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "logstash/environment"
+require "logstash/patterns/core"
+require "set"
+#
+# This filter will collapse multiline messages from a single source into one Logstash event.
+#
+# The original goal of this filter was to allow joining of multi-line messages
+# from files into a single event. For example - joining java exception and
+# stacktrace messages into a single event.
+#
+# NOTE: This filter will not work with multiple worker threads `-w 2` on the logstash command line.
+#
+# The config looks like this:
+# [source,ruby]
+#     filter {
+#       multiline {
+#         type => "type"
+#         pattern => "pattern, a regexp"
+#         negate => boolean
+#         what => "previous" or "next"
+#       }
+#     }
+#
+# The `pattern` should be a regexp which matches what you believe to be an indicator
+# that the field is part of an event consisting of multiple lines of log data.
+#
+# The `what` must be `previous` or `next` and indicates the relation
+# to the multi-line event.
+#
+# The `negate` can be `true` or `false` (defaults to `false`). If `true`, a
+# message not matching the pattern will constitute a match of the multiline
+# filter and the `what` will be applied. (vice-versa is also true)
+#
+# For example, Java stack traces are multiline and usually have the message
+# starting at the far-left, with each subsequent line indented. Do this:
+# [source,ruby]
+#     filter {
+#       multiline {
+#         type => "somefiletype"
+#         pattern => "^\s"
+#         what => "previous"
+#       }
+#     }
+#
+# This says that any line starting with whitespace belongs to the previous line.
+#
+# Another example is C line continuations (backslash). Here's how to do that:
+# [source,ruby]
+#     filter {
+#       multiline {
+#         type => "somefiletype "
+#         pattern => "\\$"
+#         what => "next"
+#       }
+#     }
+#
+# This says that any line ending with a backslash should be combined with the
+# following line.
+#
+class LogStash::Filters::Multiline < LogStash::Filters::Base
+
+  config_name "multiline"
+  milestone 3
+
+  # The regular expression to match.
+  config :pattern, :validate => :string, :required => true
+
+  # If the pattern matched, does event belong to the next or previous event?
+  config :what, :validate => ["previous", "next"], :required => true
+
+  # Negate the regexp pattern ('if not matched')
+  config :negate, :validate => :boolean, :default => false
+
+  # The stream identity is how the multiline filter determines which stream an
+  # event belongs to. This is generally used for differentiating, say, events
+  # coming from multiple files in the same file input, or multiple connections
+  # coming from a tcp input.
+  #
+  # The default value here is usually what you want, but there are some cases
+  # where you want to change it. One such example is if you are using a tcp
+  # input with only one client connecting at any time. If that client
+  # reconnects (due to error or client restart), then logstash will identify
+  # the new connection as a new stream and break any multiline goodness that
+  # may have occurred between the old and new connection. To solve this use
+  # case, you can use `%{@source_host}.%{@type}` instead.
+  config :stream_identity , :validate => :string, :default => "%{host}.%{path}.%{type}"
+
+  # Logstash ships by default with a bunch of patterns, so you don't
+  # necessarily need to define this yourself unless you are adding additional
+  # patterns.
+  #
+  # Pattern files are plain text with format:
+  # [source,ruby]
+  #     NAME PATTERN
+  #
+  # For example:
+  # [source,ruby]
+  #     NUMBER \d+
+  config :patterns_dir, :validate => :array, :default => []
+
+  # The maximum age an event can be (in seconds) before it is automatically
+  # flushed.
+  config :max_age, :validate => :number, :default => 5
+
+  # Call the filter flush method at regular interval.
+  # Optional.
+  config :periodic_flush, :validate => :boolean, :default => true
+
+
+  # Detect if we are running from a jarfile, pick the right path.
+  @@patterns_path = Set.new
+  @@patterns_path += [LogStash::Patterns::Core.path]
+
+  MULTILINE_TAG = "multiline"
+
+  public
+  def initialize(config = {})
+    super
+
+    # this filter cannot be parallelized because message order
+    # cannot be garanteed across threads, line #2 could be processed
+    # before line #1
+    @threadsafe = false
+
+    # this filter needs to keep state
+    @pending = Hash.new
+  end # def initialize
+
+  public
+  def register
+    require "grok-pure" # rubygem 'jls-grok'
+
+    @grok = Grok.new
+
+    @patterns_dir = @@patterns_path.to_a + @patterns_dir
+    @patterns_dir.each do |path|
+      if File.directory?(path)
+        path = File.join(path, "*")
+      end
+
+      Dir.glob(path).each do |file|
+        @logger.info("Grok loading patterns from file", :path => file)
+        @grok.add_patterns_from_file(file)
+      end
+    end
+
+    @grok.compile(@pattern)
+
+    case @what
+    when "previous"
+      class << self; alias_method :multiline_filter!, :previous_filter!; end
+    when "next"
+      class << self; alias_method :multiline_filter!, :next_filter!; end
+    else
+      # we should never get here since @what is validated at config
+      raise(ArgumentError, "Unknown multiline 'what' value")
+    end # case @what
+
+    @logger.debug("Registered multiline plugin", :type => @type, :config => @config)
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    match = event["message"].is_a?(Array) ? @grok.match(event["message"].first) : @grok.match(event["message"])
+    match = (match and !@negate) || (!match and @negate) # add negate option
+
+    @logger.debug? && @logger.debug("Multiline", :pattern => @pattern, :message => event["message"], :match => match, :negate => @negate)
+
+    multiline_filter!(event, match)
+
+    unless event.cancelled?
+      collapse_event!(event)
+      filter_matched(event) if match
+    end
+  end # def filter
+
+  # flush any pending messages
+  # called at regular interval without options and at pipeline shutdown with the :final => true option
+  # @param options [Hash]
+  # @option options [Boolean] :final => true to signal a final shutdown flush
+  # @return [Array<LogStash::Event>] list of flushed events
+  public
+  def flush(options = {})
+    expired = nil
+
+    # note that thread safety concerns are not necessary here because the multiline filter
+    # is not thread safe thus cannot be run in multiple folterworker threads and flushing
+    # is called by the same thread
+
+    # select all expired events from the @pending hash into a new expired hash
+    # if :final flush then select all events
+    expired = @pending.inject({}) do |r, (key, event)|
+      age = Time.now - Array(event["@timestamp"]).first.time
+      r[key] = event if (age >= @max_age) || options[:final]
+      r
+    end
+
+    # delete expired items from @pending hash
+    expired.each{|key, event| @pending.delete(key)}
+
+    # return list of uncancelled and collapsed expired events
+    expired.map{|key, event| event.uncancel; collapse_event!(event)}
+  end # def flush
+
+  public
+  def teardown
+    # nothing to do
+  end
+
+  private
+
+  def previous_filter!(event, match)
+    key = event.sprintf(@stream_identity)
+
+    pending = @pending[key]
+
+    if match
+      event.tag(MULTILINE_TAG)
+      # previous previous line is part of this event.
+      # append it to the event and cancel it
+      if pending
+        pending.append(event)
+      else
+        @pending[key] = event
+      end
+      event.cancel
+    else
+      # this line is not part of the previous event
+      # if we have a pending event, it's done, send it.
+      # put the current event into pending
+      if pending
+        tmp = event.to_hash
+        event.overwrite(pending)
+        @pending[key] = LogStash::Event.new(tmp)
+      else
+        @pending[key] = event
+        event.cancel
+      end
+    end # if match
+  end
+
+  def next_filter!(event, match)
+    key = event.sprintf(@stream_identity)
+
+    # protect @pending for race condition between the flush thread and the worker thread
+    pending = @pending[key]
+
+    if match
+      event.tag(MULTILINE_TAG)
+      # this line is part of a multiline event, the next
+      # line will be part, too, put it into pending.
+      if pending
+        pending.append(event)
+      else
+        @pending[key] = event
+      end
+      event.cancel
+    else
+      # if we have something in pending, join it with this message
+      # and send it. otherwise, this is a new message and not part of
+      # multiline, send it.
+      if pending
+        pending.append(event)
+        event.overwrite(pending)
+        @pending.delete(key)
+      end
+    end # if match
+  end
+
+  def collapse_event!(event)
+    event["message"] = event["message"].join("\n") if event["message"].is_a?(Array)
+    event.timestamp = event.timestamp.first if event.timestamp.is_a?(Array)
+    event
+  end
+end # class LogStash::Filters::Multiline

data/logstash-filter-multiline.gemspec

@@ -0,0 +1,29 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-multiline'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "This filter will collapse multiline messages from a single source into one Logstash event."
+  s.description     = "This filter will collapse multiline messages from a single source into one Logstash event."
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+  s.add_runtime_dependency 'logstash-patterns-core'
+  s.add_runtime_dependency 'logstash-filter-mutate'
+  s.add_runtime_dependency 'jls-grok', '~> 0.11.0'
+
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/multiline_spec.rb

@@ -0,0 +1,153 @@
+# encoding: utf-8
+
+require "spec_helper"
+require "logstash/filters/multiline"
+
+describe LogStash::Filters::Multiline do
+
+  describe "simple multiline" do
+    config <<-CONFIG
+    filter {
+      multiline {
+        periodic_flush => false
+        pattern => "^\\s"
+        what => previous
+      }
+    }
+    CONFIG
+
+    sample [ "hello world", "   second line", "another first line" ] do
+      expect(subject).to be_a(Array)
+      insist { subject.size } == 2
+      insist { subject[0]["message"] } == "hello world\n   second line"
+      insist { subject[1]["message"] } == "another first line"
+    end
+  end
+
+  describe "multiline using grok patterns" do
+    config <<-CONFIG
+    filter {
+      multiline {
+        pattern => "^%{NUMBER} %{TIME}"
+        negate => true
+        what => previous
+      }
+    }
+    CONFIG
+
+    sample [ "120913 12:04:33 first line", "second line", "third line" ] do
+      insist { subject["message"] } ==  "120913 12:04:33 first line\nsecond line\nthird line"
+    end
+  end
+
+  describe "multiline safety among multiple concurrent streams" do
+    config <<-CONFIG
+      filter {
+        multiline {
+          pattern => "^\\s"
+          what => previous
+        }
+      }
+    CONFIG
+
+    count = 50
+    stream_count = 3
+
+    # first make sure to have starting lines for all streams
+    eventstream = stream_count.times.map do |i|
+      stream = "stream#{i}"
+      lines = [LogStash::Event.new("message" => "hello world #{stream}", "host" => stream, "type" => stream)]
+      lines += rand(5).times.map do |n|
+        LogStash::Event.new("message" => "   extra line in #{stream}", "host" => stream, "type" => stream)
+      end
+    end
+
+    # them add starting lines for random stream with sublines also for random stream
+    eventstream += (count - stream_count).times.map do |i|
+      stream = "stream#{rand(stream_count)}"
+      lines = [LogStash::Event.new("message" => "hello world #{stream}", "host" => stream, "type" => stream)]
+      lines += rand(5).times.map do |n|
+        stream = "stream#{rand(stream_count)}"
+        LogStash::Event.new("message" => "   extra line in #{stream}", "host" => stream, "type" => stream)
+      end
+    end
+
+    events = eventstream.flatten.map{|event| event.to_hash}
+
+    sample events do
+      expect(subject).to be_a(Array)
+      insist { subject.size } == count
+
+      subject.each_with_index do |event, i|
+        insist { event["type"] == event["host"] } == true
+        stream = event["type"]
+        insist { event["message"].split("\n").first } =~ /hello world /
+        insist { event["message"].scan(/stream\d/).all?{|word| word == stream} } == true
+      end
+    end
+  end
+
+  describe "multiline add/remove tags and fields only when matched" do
+    config <<-CONFIG
+      filter {
+        mutate {
+          add_tag => "dummy"
+        }
+        multiline {
+          add_tag => [ "nope" ]
+          remove_tag => "dummy"
+          add_field => [ "dummy2", "value" ]
+          pattern => "an unlikely match"
+          what => previous
+        }
+      }
+    CONFIG
+
+    sample [ "120913 12:04:33 first line", "120913 12:04:33 second line" ] do
+      expect(subject).to be_a(Array)
+      insist { subject.size } == 2
+
+      subject.each do |s|
+        insist { s["tags"].include?("nope")  } == false
+        insist { s["tags"].include?("dummy") } == true
+        insist { s.include?("dummy2") } == false
+      end
+    end
+  end
+
+  describe "regression test for GH issue #1258" do
+    config <<-CONFIG
+      filter {
+        multiline {
+          pattern => "^\s"
+          what => "next"
+          add_tag => ["multi"]
+        }
+      }
+    CONFIG
+
+    sample [ "  match", "nomatch" ] do
+      expect(subject).to be_a(LogStash::Event)
+      insist { subject["message"] } == "  match\nnomatch"
+    end
+  end
+
+  describe "multiple match/nomatch" do
+    config <<-CONFIG
+      filter {
+        multiline {
+          pattern => "^\s"
+          what => "next"
+          add_tag => ["multi"]
+        }
+      }
+    CONFIG
+
+    sample ["  match1", "nomatch1", "  match2", "nomatch2"] do
+      expect(subject).to be_a(Array)
+      insist { subject.size } == 2
+      insist { subject[0]["message"] } == "  match1\nnomatch1"
+      insist { subject[1]["message"] } == "  match2\nnomatch2"
+    end
+  end
+end

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-multiline
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: logstash-patterns-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-filter-mutate
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jls-grok
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+description: This filter will collapse multiline messages from a single source into
+  one Logstash event.
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- Rakefile
+- lib/logstash/filters/multiline.rb
+- logstash-filter-multiline.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/multiline_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: This filter will collapse multiline messages from a single source into one
+  Logstash event.
+test_files:
+- spec/filters/multiline_spec.rb