logstash-filter-range 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    Nzk5Y2ZkNTcwNTczZDA1YjEyYjY0ZDZjMjZkNGE2MGI2NmE3M2E4Yg==
+  data.tar.gz: !binary |-
+    M2YwYjc5Mjc5ZGY1NjVlY2VlMWZkNWJhOThhMjNkYzdiMGJkMjI0Ng==
+SHA512:
+  metadata.gz: !binary |-
+    ODk3ODk4NjU3MzdmM2M0MTk3ZGViN2ZiOTVjMjYxYjZkZWM1NThmYTAxMzc3
+    M2JlZmRjYTQwY2M0YmU1MzEwNDRmMTA0MjU0ZTM3ZDM3MjFmZTA3MTk4ZjMx
+    YWQxMGNiNGM2NjAyNjA3Yzg3YjNmN2ViNDZkYzZmNWJlOWU0MGQ=
+  data.tar.gz: !binary |-
+    YjQ0ZGE0ZTZhMDc3NGIyNWE2MTUwNDNkNDA1NTE4NGI3NzIzNzBkMmM0ODdl
+    ZTAyMTkyZmJiMmMwMWUwZTc5YjNiNjVhNGMyYjQwMzlkOWM4ZGIzZWMzNGVk
+    NTc3MjhlZTM0ZjM5M2MwNDY0OWU2MjU1M2VhZThjNmMzOGY1MmU=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/range.rb

@@ -0,0 +1,143 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+
+# This filter is used to check that certain fields are within expected size/length ranges.
+# Supported types are numbers and strings.
+# Numbers are checked to be within numeric value range.
+# Strings are checked to be within string length range.
+# More than one range can be specified for same fieldname, actions will be applied incrementally.
+# When field value is within a specified range an action will be taken.
+# Supported actions are drop event, add tag, or add field with specified value.
+#
+# Example use cases are for histogram-like tagging of events
+# or for finding anomaly values in fields or too big events that should be dropped.
+
+class LogStash::Filters::Range < LogStash::Filters::Base
+  config_name "range"
+  milestone 1
+
+  # An array of field, min, max, action tuples.
+  # Example:
+  #
+  #     filter {
+  #       %PLUGIN% {
+  #         ranges => [ "message", 0, 10, "tag:short",
+  #                     "message", 11, 100, "tag:medium",
+  #                     "message", 101, 1000, "tag:long",
+  #                     "message", 1001, 1e1000, "drop",
+  #                     "duration", 0, 100, "field:latency:fast",
+  #                     "duration", 101, 200, "field:latency:normal",
+  #                     "duration", 201, 1000, "field:latency:slow",
+  #                     "duration", 1001, 1e1000, "field:latency:outlier",
+  #                     "requests", 0, 10, "tag:too_few_%{host}_requests" ]
+  #       }
+  #     }
+  #
+  # Supported actions are drop tag or field with specified value.
+  # Added tag names and field names and field values can have %{dynamic} values.
+  #
+  # TODO(piavlo): The action syntax is ugly at the moment due to logstash grammar limitations - arrays grammar should support
+  # TODO(piavlo): simple not nested hashses as values in addition to numaric and string values to prettify the syntax.
+  config :ranges, :validate => :array, :default => []
+
+  # Negate the range match logic, events should be outsize of the specified range to match.
+  config :negate, :validate => :boolean, :default => false
+
+  public
+  def register
+    if @ranges.length % 4 != 0
+      raise "#{self.class.name}: ranges array should consist of 4 field tuples (field,min,max,action)"
+    end
+  
+    @range_tuples = {}
+
+    while !@ranges.empty?
+      fieldname, min, max, action = @ranges.shift(4)
+      
+      raise "#{self.class.name}: range field name value should be a string" if !fieldname.is_a?(String)
+      raise "#{self.class.name}: range min value should be a number" if !min.is_a?(Integer) and !min.is_a?(Float)
+      raise "#{self.class.name}: range max value should be a number" if !max.is_a?(Integer) and !max.is_a?(Float)
+      raise "#{self.class.name}: range action value should be a string" if !action.is_a?(String)
+      
+      action = action.split(':')
+      
+      case action.first
+      when "drop"
+        raise "#{self.class.name}: drop action does not accept any parameters" unless action.length == 1
+        action = { :name => :drop }
+      when "tag"
+        raise "#{self.class.name}: tag action accepts exactly one arg which is a tag name" unless action.length == 2
+        action = { :name => :add_tag, :tag => action.last }
+      when "field"
+        raise "#{self.class.name}: field action accepts exactly 2 args which are a field name and field value" unless action.length == 3
+        if action.last == action.last.to_i.to_s
+          value = action.last.to_i
+        elsif action.last == action.last.to_f.to_s
+          value = action.last.to_f
+        else
+          value = action.last
+        end
+        action = { :name => :add_field, :field => action[1], :value => value }
+      else
+        raise "#{self.class.name}: unsupported action #{action}"
+      end
+      
+      @range_tuples[fieldname] ||= []
+      @range_tuples[fieldname] << { :min => min, :max => max, :action => action }
+    end
+  end # def register
+
+ 
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    @range_tuples.each_key do |fieldname|
+      if event.include?(fieldname)
+        @range_tuples[fieldname].each do |range|
+          matched = false
+        
+          field = event[fieldname]
+          case field
+          when Integer
+            matched = field.between?(range[:min], range[:max])
+          when Float
+            matched = field.between?(range[:min], range[:max])
+          when String
+            matched = field.length.between?(range[:min], range[:max])
+          else
+            @logger.warn("#{self.class.name}: action field value has unsupported type")
+          end
+
+          matched = !matched if @negate
+          next unless matched
+        
+          case range[:action][:name]
+          when :drop
+            @logger.debug? and @logger.debug("#{self.class.name}: dropping event due to range match", :event => event)
+            event.cancel
+            return
+          when :add_tag
+            @logger.debug? and @logger.debug("#{self.class.name}: adding tag due to range match",
+                                             :event => event, :tag => range[:action][:tag] )
+            event.tag(event.sprintf(range[:action][:tag]))
+          when :add_field
+            @logger.debug? and @logger.debug("#{self.class.name}: adding field due to range match",
+                                              :event => event, :field => range[:action][:field], :value => range[:action][:value])
+            new_field = event.sprintf(range[:action][:field])
+            if event[new_field]
+              event[new_field] = [event[new_field]] if !event[new_field].is_a?(Array)
+              event[new_field] << event.sprintf(range[:action][:value])
+            else
+              event[new_field] = range[:action][:value].is_a?(String) ? event.sprintf(range[:action][:value]) : range[:action][:value]
+            end
+          end
+        end
+      end
+    end
+    
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::Range

data/logstash-filter-range.gemspec

@@ -0,0 +1,26 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-range'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "This filter is used to check that certain fields are within expected size/length ranges."
+  s.description     = "This filter is used to check that certain fields are within expected size/length ranges."
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/range_spec.rb

@@ -0,0 +1,169 @@
+require "spec_helper"
+require "logstash/filters/range"
+
+describe LogStash::Filters::Range do
+  
+
+  describe "range match integer field on tag action" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 10, 100, "tag:cool",
+                      "duration", 1, 1, "tag:boring" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50) do
+      insist { subject["tags"] }.include?("cool")
+      reject { subject["tags"] }.include?("boring")
+    end
+  end
+
+  describe "range match float field on tag action" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 0, 100, "tag:cool",
+                      "duration", 0, 1, "tag:boring" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50.0) do
+      insist { subject["tags"] }.include?("cool")
+      reject { subject["tags"] }.include?("boring")
+    end
+  end
+
+  describe "range match string field on tag action" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "length", 0, 10, "tag:cool",
+                      "length", 0, 1, "tag:boring" ]
+        }
+      }
+    CONFIG
+
+    sample("length" => "123456789") do
+      insist { subject["tags"] }.include?("cool")
+      reject { subject["tags"] }.include?("boring")
+    end
+  end
+
+  describe "range match with negation" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "length", 0, 10, "tag:cool",
+                      "length", 0, 1, "tag:boring" ]
+          negate => true
+        }
+      }
+    CONFIG
+
+    sample("length" => "123456789") do
+      reject { subject["tags"] }.include?("cool")
+      insist { subject["tags"] }.include?("boring")
+    end
+  end
+
+  describe "range match on drop action" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "length", 0, 10, "drop" ]
+        }
+      }
+    CONFIG
+
+    sample("length" => "123456789") do
+      insist { subject }.nil?
+    end
+  end
+
+  describe "range match on field action with string value" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 10, 100, "field:cool:foo",
+                      "duration", 1, 1, "field:boring:foo" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50) do
+      insist { subject }.include?("cool")
+      insist { subject["cool"] } == "foo"
+      reject { subject }.include?("boring")
+    end
+  end
+
+  describe "range match on field action with integer value" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 10, 100, "field:cool:666",
+                      "duration", 1, 1, "field:boring:666" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50) do
+      insist { subject }.include?("cool")
+      insist { subject["cool"] } == 666
+      reject { subject }.include?("boring")
+    end
+  end
+
+  describe "range match on field action with float value" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 10, 100, "field:cool:3.14",
+                      "duration", 1, 1, "field:boring:3.14" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50) do
+      insist { subject }.include?("cool")
+      insist { subject["cool"] } == 3.14
+      reject { subject }.include?("boring")
+    end
+  end
+
+  describe "range match on tag action with dynamic string value" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 10, 100, "tag:cool_%{dynamic}_dynamic",
+                      "duration", 1, 1, "tag:boring_%{dynamic}_dynamic" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50, "dynamic" => "and") do
+      insist { subject["tags"] }.include?("cool_and_dynamic")
+      reject { subject["tags"] }.include?("boring_and_dynamic")
+    end
+  end
+
+  describe "range match on field action with dynamic string field and value" do
+    config <<-CONFIG
+      filter {
+        range {
+          ranges => [ "duration", 10, 100, "field:cool_%{dynamic}_dynamic:foo_%{dynamic}_bar",
+                      "duration", 1, 1, "field:boring_%{dynamic}_dynamic:foo_%{dynamic}_bar" ]
+        }
+      }
+    CONFIG
+
+    sample("duration" => 50, "dynamic" => "and") do
+      insist { subject }.include?("cool_and_dynamic")
+      insist { subject["cool_and_dynamic"] } == "foo_and_bar"
+      reject { subject }.include?("boring_and_dynamic")
+    end
+  end
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-range
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+description: This filter is used to check that certain fields are within expected
+  size/length ranges.
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Rakefile
+- lib/logstash/filters/range.rb
+- logstash-filter-range.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/range_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: This filter is used to check that certain fields are within expected size/length
+  ranges.
+test_files:
+- spec/filters/range_spec.rb