logstash-filter-prune 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    Y2UxMGMyM2U5NTRmMmM4YjFlMDM0NzhlNDY0NWE5NmYxMDQzOTA5Yg==
+  data.tar.gz: !binary |-
+    NWUzMTUxY2ZhNjY4YzFmNjJlNzM5YmZkYzQ0ODUzNjcyYmZiY2MwZg==
+SHA512:
+  metadata.gz: !binary |-
+    ZTVhYjVhOGNiODliMWE4ZGU4MTkzZTU3M2Y5ZmUwMzM1ODI0ZjBhOWFmZGNi
+    MzRmNDU3YWM0ZWIwNWY4Mjg5ZWMyYjAwM2I3NzEzZjc2ZWIyMTljNWYzZjFl
+    OWE4ZDdhMTMzNjg5MWU4ZDc2NjIwNTJiZGJhYmI1NzBkYzc5MWE=
+  data.tar.gz: !binary |-
+    ZjJiN2ExYTcyMjIzMzViYWY4OTBlOGVkZGExMWE5OTdkOWNjMzhkNzJhOTA2
+    OTcxNDYyZmY1NDk2ZDAwMjA4MTdmNDFkZDI0MzkxMDgzYjI4N2NjODVlOGZj
+    MWEyMDQ4YWM1Y2Q3MWQ1YjMyZGFjZTFhZmM3MjEwODMzNTZlYTQ=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/prune.rb

@@ -0,0 +1,150 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+
+# The prune filter is for pruning event data from @fileds based on whitelist/blacklist
+# of field names or their values (names and values can also be regular expressions).
+
+class LogStash::Filters::Prune < LogStash::Filters::Base
+  config_name "prune"
+  milestone 1
+
+  # Trigger whether configation fields and values should be interpolated for
+  # dynamic values.
+  # Probably adds some performance overhead. Defaults to false.
+  config :interpolate, :validate => :boolean, :default => false
+
+  # Include only fields only if their names match specified regexps, default to empty list which means include everything.
+  # 
+  #     filter { 
+  #       %PLUGIN% { 
+  #         tags            => [ "apache-accesslog" ]
+  #         whitelist_names => [ "method", "(referrer|status)", "${some}_field" ]
+  #       }
+  #     }
+  config :whitelist_names, :validate => :array, :default => []
+
+  # Exclude fields which names match specified regexps, by default exclude unresolved %{field} strings.
+  #
+  #     filter { 
+  #       %PLUGIN% { 
+  #         tags            => [ "apache-accesslog" ]
+  #         blacklist_names => [ "method", "(referrer|status)", "${some}_field" ]
+  #       }
+  #     }
+  config :blacklist_names, :validate => :array, :default => [ "%\{[^}]+\}" ]
+
+  # Include specified fields only if their values match regexps.
+  # In case field values are arrays, the fields are pruned on per array item
+  # thus only matching array items will be included.
+  # 
+  #     filter { 
+  #       %PLUGIN% { 
+  #         tags             => [ "apache-accesslog" ]
+  #         whitelist_values => [ "uripath", "/index.php",
+  #                               "method", "(GET|POST)",
+  #                               "status", "^[^2]" ]
+  #       }
+  #     }
+  config :whitelist_values, :validate => :hash, :default => {}
+
+  # Exclude specified fields if their values match regexps.
+  # In case field values are arrays, the fields are pruned on per array item
+  # in case all array items are matched whole field will be deleted.
+  #
+  #     filter { 
+  #       %PLUGIN% { 
+  #         tags             => [ "apache-accesslog" ]
+  #         blacklist_values => [ "uripath", "/index.php",
+  #                               "method", "(HEAD|OPTIONS)",
+  #                               "status", "^[^2]" ]
+  #       }
+  #     }
+  config :blacklist_values, :validate => :hash, :default => {}
+
+  public
+  def register
+    unless @interpolate
+      @whitelist_names_regexp = Regexp.union(@whitelist_names.map {|x| Regexp.new(x)})
+      @blacklist_names_regexp = Regexp.union(@blacklist_names.map {|x| Regexp.new(x)})
+      @whitelist_values.each do |key, value|
+        @whitelist_values[key] = Regexp.new(value)
+      end
+      @blacklist_values.each do |key, value|
+        @blacklist_values[key] = Regexp.new(value)
+      end
+    end
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    hash = event.to_hash
+
+    # We need to collect fields which needs to be remove ,and only in the end
+    # actually remove it since then interpolation mode you can get unexpected
+    # results as fields with dynamic values will not match since the fields to
+    # which they refer have already been removed.
+    fields_to_remove = []
+
+    unless @whitelist_names.empty?
+      @whitelist_names_regexp = Regexp.union(@whitelist_names.map {|x| Regexp.new(event.sprintf(x))}) if @interpolate
+      hash.each_key do |field|
+        fields_to_remove << field unless field.match(@whitelist_names_regexp)
+      end
+    end
+
+    unless @blacklist_names.empty?
+      @blacklist_names_regexp = Regexp.union(@blacklist_names.map {|x| Regexp.new(event.sprintf(x))}) if @interpolate
+      hash.each_key do |field|
+        fields_to_remove << field if field.match(@blacklist_names_regexp)
+      end
+    end
+
+    @whitelist_values.each do |key, value|
+      if @interpolate
+        key = event.sprintf(key)
+        value = Regexp.new(event.sprintf(value))
+      end
+      if hash[key]
+        if hash[key].is_a?(Array)
+          subvalues_to_remove = hash[key].find_all{|x| not x.match(value)}
+          unless subvalues_to_remove.empty?
+            fields_to_remove << (subvalues_to_remove.length == hash[key].length ? key : { :key => key, :values => subvalues_to_remove })
+          end
+        else
+          fields_to_remove << key if not hash[key].match(value)
+        end
+      end
+    end
+
+    @blacklist_values.each do |key, value|
+      if @interpolate
+        key = event.sprintf(key)
+        value = Regexp.new(event.sprintf(value))
+      end
+      if hash[key]
+        if hash[key].is_a?(Array)
+          subvalues_to_remove = hash[key].find_all{|x| x.match(value)}
+          unless subvalues_to_remove.empty?
+            fields_to_remove << (subvalues_to_remove.length == hash[key].length ? key : { :key => key, :values => subvalues_to_remove })
+          end
+        else
+          fields_to_remove << key if hash[key].match(value)
+        end
+      end
+    end
+
+    fields_to_remove.each do |field|
+      if field.is_a?(Hash)
+        hash[field[:key]] = hash[field[:key]] - field[:values]
+      else
+        hash.delete(field)
+      end
+    end
+
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::Prune

data/logstash-filter-prune.gemspec

@@ -0,0 +1,26 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-prune'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "The prune filter is for pruning event data from fields based on whitelist/blacklist of field names or their values (names and values can also be regular expressions)"
+  s.description     = "The prune filter is for pruning event data from fields based on whitelist/blacklist of field names or their values (names and values can also be regular expressions)"
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/prune_spec.rb

@@ -0,0 +1,441 @@
+require "spec_helper"
+require "logstash/filters/prune"
+
+# Currently the prune filter has bugs and I can't really tell what the intended
+# behavior is.
+#
+# See the 'whitelist field values with interpolation' test for a commented
+# explanation of my confusion.
+describe LogStash::Filters::Prune, :if => false  do
+  
+
+  describe "defaults" do
+
+    config <<-CONFIG
+      filter {
+        prune { }
+      }
+    CONFIG
+    
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == "Borat"
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == "Borat Sagdiyev"
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == "Somethere in Kazakhstan"
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == "200"
+      insist { subject["Borat_saying"] } == "Cloud is not ready for enterprise if is not integrate with single server running Active Directory."
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "whitelist field names" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          whitelist_names => [ "firstname", "(hobby|status)", "%{firstname}_saying" ]
+        }
+      }
+    CONFIG
+    
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == "Borat"
+      insist { subject["lastname"] } == nil
+      insist { subject["fullname"] } == nil
+      insist { subject["country"] } == nil
+      insist { subject["location"] } == nil
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == "200"
+      insist { subject["Borat_saying"] } == nil
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "whitelist field names with interpolation" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          whitelist_names => [ "firstname", "(hobby|status)", "%{firstname}_saying" ]
+          interpolate     => true
+        }
+      }
+    CONFIG
+    
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == "Borat"
+      insist { subject["lastname"] } == nil
+      insist { subject["fullname"] } == nil
+      insist { subject["country"] } == nil
+      insist { subject["location"] } == nil
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == "200"
+      insist { subject["Borat_saying"] } == "Cloud is not ready for enterprise if is not integrate with single server running Active Directory."
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "blacklist field names" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          blacklist_names => [ "firstname", "(hobby|status)", "%{firstname}_saying" ]
+        }
+      }
+    CONFIG
+
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == nil
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == "Borat Sagdiyev"
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == "Somethere in Kazakhstan"
+      insist { subject["hobby"] } == nil
+      insist { subject["status"] } == nil
+      insist { subject["Borat_saying"] } == "Cloud is not ready for enterprise if is not integrate with single server running Active Directory."
+      insist { subject["%{hmm}"] } == "doh"
+    end
+  end
+
+  describe "blacklist field names with interpolation" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          blacklist_names => [ "firstname", "(hobby|status)", "%{firstname}_saying" ]
+          interpolate     => true
+        }
+      }
+    CONFIG
+
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == nil
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == "Borat Sagdiyev"
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == "Somethere in Kazakhstan"
+      insist { subject["hobby"] } == nil
+      insist { subject["status"] } == nil
+      insist { subject["Borat_saying"] } == nil
+      insist { subject["%{hmm}"] } == "doh"
+    end
+  end
+
+  describe "whitelist field values" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          # This should only  permit fields named 'firstname', 'fullname',
+          # 'location', 'status', etc.
+          whitelist_values => [ "firstname", "^Borat$",
+                                "fullname", "%{firstname} Sagdiyev",
+                                "location", "no no no",
+                                "status", "^2",
+                                "%{firstname}_saying", "%{hobby}.*Active" ]
+        }
+      }
+    CONFIG
+
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == "Borat"
+
+      # TODO(sissel): According to the config above, this should be nil because
+      # it is not in the list of whitelisted fields, but we expect it to be
+      # "Sagdiyev" ? I am confused.
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == nil
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == nil
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == "200"
+      insist { subject["Borat_saying"] } == "Cloud is not ready for enterprise if is not integrate with single server running Active Directory."
+
+      # TODO(sissel): Contrary to the 'lastname' check, we expect %{hmm} field
+      # to be nil because it is not whitelisted, yes? Contradictory insists 
+      # here. I don't know what the intended behavior is... Seems like
+      # whitelist means 'anything not here' but since this test is written
+      # confusingly, I dont' know how to move forward.
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "whitelist field values with interpolation" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          whitelist_values => [ "firstname", "^Borat$",
+                                "fullname", "%{firstname} Sagdiyev",
+                                "location", "no no no",
+                                "status", "^2",
+                                "%{firstname}_saying", "%{hobby}.*Active" ]
+          interpolate      => true
+        }
+      }
+    CONFIG
+
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == "Borat"
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == "Borat Sagdiyev"
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == nil
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == "200"
+      insist { subject["Borat_saying"] } == "Cloud is not ready for enterprise if is not integrate with single server running Active Directory."
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "blacklist field values" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          blacklist_values => [ "firstname", "^Borat$",
+                                "fullname", "%{firstname} Sagdiyev",
+                                "location", "no no no",
+                                "status", "^2",
+                                "%{firstname}_saying", "%{hobby}.*Active" ]
+        }
+      }
+    CONFIG
+
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == nil
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == "Borat Sagdiyev"
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == "Somethere in Kazakhstan"
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == nil
+      insist { subject["Borat_saying"] } == "Cloud is not ready for enterprise if is not integrate with single server running Active Directory."
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "blacklist field values with interpolation" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          blacklist_values => [ "firstname", "^Borat$",
+                                "fullname", "%{firstname} Sagdiyev",
+                                "location", "no no no",
+                                "status", "^2",
+                                "%{firstname}_saying", "%{hobby}.*Active" ]
+          interpolate      => true
+        }
+      }
+    CONFIG
+
+    sample(
+      "firstname"    => "Borat",
+      "lastname"     => "Sagdiyev",
+      "fullname"     => "Borat Sagdiyev",
+      "country"      => "Kazakhstan",
+      "location"     => "Somethere in Kazakhstan",
+      "hobby"        => "Cloud",
+      "status"       => "200",
+      "Borat_saying" => "Cloud is not ready for enterprise if is not integrate with single server running Active Directory.",
+      "%{hmm}"       => "doh"
+    ) do
+      insist { subject["firstname"] } == nil
+      insist { subject["lastname"] } == "Sagdiyev"
+      insist { subject["fullname"] } == nil
+      insist { subject["country"] } == "Kazakhstan"
+      insist { subject["location"] } == "Somethere in Kazakhstan"
+      insist { subject["hobby"] } == "Cloud"
+      insist { subject["status"] } == nil
+      insist { subject["Borat_saying"] } == nil
+      insist { subject["%{hmm}"] } == nil
+    end
+  end
+
+  describe "whitelist field values on fields witn array values" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          whitelist_values => [ "status", "^(1|2|3)",
+                                "xxx", "3",
+                                "error", "%{blah}" ]
+        }
+      }
+    CONFIG
+
+    sample(
+      "blah"   => "foo",
+      "xxx" => [ "1 2 3", "3 4 5" ],
+      "status" => [ "100", "200", "300", "400", "500" ],
+      "error"  => [ "This is foolish" , "Need smthing smart too" ]
+    ) do
+      insist { subject["blah"] } == "foo"
+      insist { subject["error"] } == nil
+      insist { subject["xxx"] } == [ "1 2 3", "3 4 5" ]
+      insist { subject["status"] } == [ "100", "200", "300" ]
+    end
+  end
+
+  describe "blacklist field values on fields witn array values" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          blacklist_values => [ "status", "^(1|2|3)",
+                                "xxx", "3",
+                                "error", "%{blah}" ]
+        }
+      }
+    CONFIG
+
+    sample(
+      "blah"   => "foo",
+      "xxx" => [ "1 2 3", "3 4 5" ],
+      "status" => [ "100", "200", "300", "400", "500" ],
+      "error"  => [ "This is foolish", "Need smthing smart too" ]
+    ) do
+      insist { subject["blah"] } == "foo"
+      insist { subject["error"] } == [ "This is foolish", "Need smthing smart too" ]
+      insist { subject["xxx"] } == nil
+      insist { subject["status"] } == [ "400", "500" ]
+    end
+  end
+
+  describe "whitelist field values with interpolation on fields witn array values" do
+ 
+    config <<-CONFIG
+      filter {
+        prune {
+          whitelist_values => [ "status", "^(1|2|3)",
+                                "xxx", "3",
+                                "error", "%{blah}" ]
+          interpolate      => true
+        }
+      }
+    CONFIG
+
+    sample(
+      "blah"   => "foo",
+      "xxx" => [ "1 2 3", "3 4 5" ],
+      "status" => [ "100", "200", "300", "400", "500" ],
+      "error"  => [ "This is foolish" , "Need smthing smart too" ]
+    ) do
+      insist { subject["blah"] } == "foo"
+      insist { subject["error"] } == [ "This is foolish" ]
+      insist { subject["xxx"] } == [ "1 2 3", "3 4 5" ]
+      insist { subject["status"] } == [ "100", "200", "300" ]
+    end
+  end
+
+  describe "blacklist field values with interpolation on fields witn array values" do
+
+    config <<-CONFIG
+      filter {
+        prune {
+          blacklist_values => [ "status", "^(1|2|3)",
+                                "xxx", "3",
+                                "error", "%{blah}" ]
+          interpolate      => true
+        }
+      }
+    CONFIG
+
+    sample(
+      "blah"   => "foo",
+      "xxx" => [ "1 2 3", "3 4 5" ],
+      "status" => [ "100", "200", "300", "400", "500" ],
+      "error"  => [ "This is foolish" , "Need smthing smart too" ]
+    ) do
+      insist { subject["blah"] } == "foo"
+      insist { subject["error"] } == [ "Need smthing smart too" ]
+      insist { subject["xxx"] } == nil
+      insist { subject["status"] } == [ "400", "500" ]
+    end
+  end
+
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-prune
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+description: The prune filter is for pruning event data from fields based on whitelist/blacklist
+  of field names or their values (names and values can also be regular expressions)
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Rakefile
+- lib/logstash/filters/prune.rb
+- logstash-filter-prune.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/prune_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: The prune filter is for pruning event data from fields based on whitelist/blacklist
+  of field names or their values (names and values can also be regular expressions)
+test_files:
+- spec/filters/prune_spec.rb