logstash-filter-transaction_time 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: df5ee7635060bbbad794fd0e0f833f461ba721b1
+  data.tar.gz: 7b6a091cf7af7fb18c113f7f51589c70d56c8536
+SHA512:
+  metadata.gz: 85dfd46602f89ac8cfefdc04cf0884689df48521f1d36cfde35a9762881c7d399525128c5ab5b3eb2cfd725029ab1c3d201a789d0eea93bcfa5c1beb83b5a184
+  data.tar.gz: faa6f933e23971346e19b4724354f494c0bb66f0e23da2c10917d21cb5c8353ba217b19f3bb0b94b730eab54b060e58a9fc3947bde8e187ced12252f19ff336f

data/CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.1.0
+  - Plugin created with the logstash plugin generator

data/CONTRIBUTORS

@@ -0,0 +1,10 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Tommy Welleby - tommywelleby@gmail.com
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-transaction_time
+Example filter plugin. This should help bootstrap your effort to write your own filter plugin!

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gemspec
+

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,97 @@
+# About
+This plugin is a substitute for the logstash-filter-elapsed plugin. 
+The elapsed-plugin requires a transaction to be executed in a specified order and then decorates the last part of the transaction (or creates a new event) with the elapsed time.
+The order of which the parts of a transaction is received cannot always be predicted when using multiple workers for a pipeline.
+Hence the need for this plugin.
+This plugin, like elapsed, uses a unique identifier to pair events in a transaction.
+But instead of defining a start and an end for a transaction - only the unique identifier is used. 
+This of course has some implications. The biggest one not being able to decorate the last part of the transaction since it may or may not be the same type of event.
+Instead the transaction time is stored together with the unique identifier. Either in the same or another index.
+
+
+# Logstash Plugin
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+bin/logstash-plugin install --no-verify
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/logstash-plugin install /your/local/plugin/logstash-filter-awesome.gem
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash/filters/transaction_time.rb

@@ -0,0 +1,214 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+# This  filter will replace the contents of the default 
+# message field with whatever you specify in the configuration.
+#
+# It is only intended to be used as an .
+class LogStash::Filters::TransactionTime < LogStash::Filters::Base
+
+  HOST_FIELD = "host"
+  TRANSACTION_TIME_TAG = "TransactionTime"
+  TRANSACTION_TIME_FIELD = "transaction_time"
+  TRANSACTION_UID_FIELD = "transaction_uid"
+  TIMESTAMP_START_FIELD = "timestamp_start"
+
+  config_name "transaction_time"
+  
+  # The name of the UID-field used to identify transaction-pairs
+  config :uid_field, :validate => :string, :required => true
+  # The amount of time (in seconds) before a transaction is dropped. Defaults to 5 minutes
+  config :timeout, :validate => :number, :default => 300
+  # What tag to use as timestamp when calculating the elapsed transaction time. Defaults to @timestamp
+  config :timestamp_tag, :validate => :string, :default => "@timestamp"
+  # Override the new events timestamp with the oldest or newest timestamp or keep the new one (set when logstash has processed the event)
+  config :replace_timestamp, :validate => ['keep', 'oldest', 'newest'], :default => 'keep'
+  # Tag used to identify transactional events. If set, only events tagged with the specified tag attached will be concidered transactions and be processed by the plugin
+  config :filter_tag, :validate => :string
+  # Whether or not to attach one or none of the events in a transaction to the output event. 
+  # Defaults to 'none' - which reduces memory footprint by not adding the event to the transactionlist.
+  config :attach_event, :validate => ['first','last','oldest','newest','none'], :default => 'none'
+
+  public
+  def register
+    # Add instance variables 
+    @transactions = Hash.new
+    @mutex = Mutex.new
+    @storeEvent = !(@attach_event.eql?"none")
+    @@timestampTag = @timestamp_tag
+  end # def register
+
+  def transactions
+      @transactions
+  end
+  def self.timestampTag
+    @@timestampTag
+  end
+
+  public
+  def filter(event)
+    
+    uid = event.get(@uid_field)
+    #return if uid.nil?
+
+    @logger.debug("Received UID", uid: uid)
+
+    if (@filter_tag.nil? || (!event.get("tags").nil? && event.get("tags").include?(@filter_tag)))
+      @mutex.synchronize do
+        if(!@transactions.has_key?(uid))
+          @transactions[uid] = LogStash::Filters::TransactionTime::Transaction.new(event, uid, @storeEvent)
+        else #End of transaction
+          @transactions[uid].addSecond(event,@storeEvent)
+          transaction_event = new_transactiontime_event(@transactions[uid])
+          filter_matched(transaction_event)
+          yield transaction_event if block_given?
+          @transactions.delete(uid)
+        end
+      end
+    end
+
+    event.set("uid_field", @uid_field)
+
+    # filter_matched should go in the last line of our successful code
+    filter_matched(event)
+  end # def filter
+
+
+  # The method is invoked by LogStash every 5 seconds.
+  def flush(options = {})
+    expired_elements = []
+
+    @mutex.synchronize do
+      increment_age_by(5)
+      expired_elements = remove_expired_elements()
+    end
+
+    #return create_expired_events_from(expired_elements)
+  end
+
+  private
+  def increment_age_by(seconds)
+    @transactions.each_pair do |key, transaction|
+      transaction.age += seconds
+    end
+  end
+
+  # Remove the expired "start events" from the internal
+  # buffer and return them.
+  def remove_expired_elements()
+    expired = []
+    @transactions.delete_if do |key, transaction|
+      if(transaction.age >= @timeout)
+        expired << transaction
+        next true
+      end
+      next false
+    end
+    return expired
+  end
+
+  def new_transactiontime_event(transaction)
+      case @attach_event
+      when 'oldest'
+        event = transaction.getOldestEvent()
+      when 'first'
+        event = transaction.firstEvent
+      when 'newest'
+        event = transaction.getNewestEvent()
+      when 'last'
+        event = transaction.lastEvent
+      else 
+        event = LogStash::Event.new
+      end
+      event.set(HOST_FIELD, Socket.gethostname)
+
+      event.tag(TRANSACTION_TIME_TAG)
+      event.set(TRANSACTION_TIME_FIELD, transaction.diff)
+      event.set(TRANSACTION_UID_FIELD, transaction.uid)
+      event.set(TIMESTAMP_START_FIELD, transaction.getOldestTimestamp())
+
+      if(@replace_timestamp.eql?'oldest')
+        event.set("@timestamp", transaction.getOldestTimestamp())
+      elsif (@replace_timestamp.eql?'newest')
+        event.set("@timestamp", transaction.getNewestTimestamp())
+      end
+          
+
+      return event
+  end
+
+
+end # class LogStash::Filters::TransactionTime
+
+
+
+
+
+
+
+class LogStash::Filters::TransactionTime::Transaction
+  attr_accessor :firstEvent, :lastEvent,:firstTimestamp, :secondTimestamp, :uid, :age, :diff
+
+  def initialize(firstEvent, uid, storeEvent = false)
+    if(storeEvent)
+      @firstEvent = firstEvent
+    end
+    @firstTimestamp = firstEvent.get(LogStash::Filters::TransactionTime.timestampTag)
+    @uid = uid
+    @age = 0
+  end
+
+  def addSecond(lastEvent,storeEvent = false)
+    if(storeEvent)
+      @lastEvent = lastEvent
+    end
+    @secondTimestamp = lastEvent.get(LogStash::Filters::TransactionTime.timestampTag)
+    @diff = calculateDiff()
+  end
+
+  #Gets the first (based on timestamp) event
+  def getOldestEvent() 
+    if invalidTransaction()
+      return nil
+    end
+
+    if(@firstTimestamp < @secondTimestamp)
+      return @firstEvent
+    else
+      return @lastEvent
+    end
+  end
+
+  def getOldestTimestamp()
+    return [@firstTimestamp,@secondTimestamp].min
+  end
+
+  #Gets the last (based on timestamp) event
+  def getNewestEvent() 
+    if invalidTransaction()
+      return nil
+    end
+    if(@firstTimestamp > @secondTimestamp)
+      return @firstEvent
+    else
+      return @lastEvent
+    end
+  end
+
+  def getNewestTimestamp()
+    return [@firstTimestamp,@secondTimestamp].max
+  end
+
+  def invalidTransaction()
+    return firstTimestamp.nil? || secondTimestamp.nil?
+  end
+
+  def calculateDiff()
+    if invalidTransaction()
+      return nil
+    end
+
+    return getNewestTimestamp() - getOldestTimestamp()
+  end
+end

data/logstash-filter-transaction_time.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name          = 'logstash-filter-transaction_time'
+  s.version       = '1.0.0'
+  s.licenses      = ['Apache-2.0','Apache License (2.0)']
+  s.summary       = 'Writes the time difference between two events in a transaction to a new event'
+  s.description   = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program'
+  s.homepage      = 'http://addinit.se/'
+  s.authors       = ['Tommy Welleby']
+  s.email         = 'tommy.welleby@addinit.se'
+  s.require_paths = ['lib']
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
+  s.add_development_dependency 'logstash-devutils'
+end

data/spec/filters/transaction_time_spec.rb

@@ -0,0 +1,319 @@
+# encoding: utf-8
+require_relative '../spec_helper'
+require "logstash/filters/transaction_time"
+
+
+describe LogStash::Filters::TransactionTime do
+  UID_FIELD = "uniqueIdField"
+  TIMEOUT = 30
+
+
+  describe "Set to Hello World" do
+    let(:config) do <<-CONFIG
+      filter {
+        transaction_time {
+          timestamp_tag => "@timestamp"
+          uid_field => "uid"
+        }
+      }
+    CONFIG
+    end
+
+    sample("timestamp_tag" => "testing") do
+      expect(subject).to include("timestamp_tag")
+      expect(subject.get('timestamp_tag')).to eq('testing')
+    end
+
+    sample("uid_field" => "some text") do
+      expect(subject).to include("uid_field")
+      expect(subject.get('uid_field')).to eq('uid')
+    end
+  end
+
+  def event(data)
+    data["message"] ||= "Log message"
+    LogStash::Event.new(data)
+  end
+
+  before(:each) do
+    setup_filter()
+  end
+
+  def setup_filter(config = {})
+    @config = {"uid_field" => UID_FIELD, "timeout" => TIMEOUT, "attach_event" => 'first'}
+    @config.merge!(config)
+    @filter = LogStash::Filters::TransactionTime.new(@config)
+    @filter.register
+  end
+
+  context "Testing Hash with UID. " do
+    describe "Receiving" do
+      uid = "D7AF37D9-4F7F-4EFC-B481-06F65F75E8C0"
+      uid2 = "5DE49829-5CD3-4103-8062-781AC63BE4F5"
+      describe "one event" do
+        it "records the transaction" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid))
+          #insist { @filter.events[uid] } == "HEJ"
+          insist { @filter.transactions.size } == 1
+          insist { @filter.transactions[uid].firstEvent } != nil
+          insist { @filter.transactions[uid].lastEvent } == nil
+        end
+      end
+      describe "and events with the same UID" do
+        it "completes and removes transaction" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid))
+          insist { @filter.transactions.size } == 0
+          insist { @filter.transactions[uid] } == nil
+        end
+      end
+      describe "and events with different UID" do
+        it "increases the number of transactions to two" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid2))
+          insist { @filter.transactions.size } == 2
+          insist { @filter.transactions[uid].firstEvent } != nil
+          insist { @filter.transactions[uid].lastEvent } == nil
+          insist { @filter.transactions[uid2].firstEvent } != nil
+          insist { @filter.transactions[uid2].lastEvent } == nil
+        end
+      end
+    end
+  end
+
+  context "Testing TransactionTime. " do
+    describe "Receiving" do
+      uid = "D7AF37D9-4F7F-4EFC-B481-06F65F75E8CC"
+      describe "two events with the same UID in cronological order" do
+        it "calculates TransactionTime with last presicion" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:21.000+0100"))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("transaction_time") } == 1.0
+          end
+          insist { @filter.transactions.size } == 0
+          insist { @filter.transactions[uid] } == nil
+        end
+        it "calculates TransactionTime with ms presicion" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:21.001+0100"))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("transaction_time") } == 0.999
+          end
+          insist { @filter.transactions.size } == 0
+          insist { @filter.transactions[uid] } == nil
+        end
+      end
+      describe "two events with the same UID in REVERSED cronological order" do
+        it "calculates TransactionTime with last presicion" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:21.000+0100"))do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("transaction_time") } == 1.0
+          end
+          insist { @filter.transactions.size } == 0
+          insist { @filter.transactions[uid] } == nil
+        end
+        it "calculates TransactionTime with ms presicion" do
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:21.001+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("transaction_time") } == 0.999
+          end
+          insist { @filter.transactions.size } == 0
+          insist { @filter.transactions[uid] } == nil
+        end
+      end
+    end
+  end #end context Testing TransactionTime
+
+  context "Testing flush. " do
+    uid = "D7AF37D9-4F7F-4EFC-B481-06F65F75E8CC"
+    uid2 = "C27BBC4C-6456-4581-982E-7497B4C7E754"
+    describe "Call flush enough times" do
+      it "flushes all old transactions" do
+        @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+        insist { @filter.transactions.size } == 1
+        @filter.filter(event("message" => "Log message", UID_FIELD => uid2, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+        insist { @filter.transactions.size } == 2
+        ((TIMEOUT/5)-1).times do
+          @filter.flush()
+        end 
+        insist { @filter.transactions.size } == 2
+        @filter.flush()
+        insist { @filter.transactions.size } == 0
+      end
+      it "does not flush newer transactions" do
+        @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+        insist { @filter.transactions.size } == 1
+        ((TIMEOUT/5)-1).times do
+          @filter.flush()
+        end 
+        @filter.filter(event("message" => "Log message", UID_FIELD => uid2, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+        insist { @filter.transactions.size } == 2
+        @filter.flush()
+        insist { @filter.transactions.size } == 1
+      end
+    end
+  end
+
+  context "Testing Timestamp Override." do
+    uid = "D7AF37D9-4F7F-4EFC-B481-06F65F75E8CC"
+    describe "Two events with the same UID" do
+      describe "When config set to replace_timestamp => oldest" do
+        it "sets the timestamp to the oldest" do
+          config = {"replace_timestamp" => 'oldest'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("@timestamp").to_s } == LogStash::Timestamp.parse_iso8601("2018-04-22T09:46:22.000+0100").to_s
+          end
+        end
+      end
+      describe "When config set to replace_timestamp => newest" do
+        it "sets the timestamp to the newest" do
+          config = {"replace_timestamp" => 'newest'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("@timestamp").to_s } == LogStash::Timestamp.parse_iso8601("2018-04-22T09:46:22.100+0100").to_s
+          end
+        end
+      end
+    end
+  end
+
+  context "Testing filter_tag." do
+    uid = "D7AF37D9-4F7F-4EFC-B481-06F65F75E8CC"
+    uid2 = "58C8B705-49C5-4269-92D9-2C959599534C"
+    describe "Incoming events with different UID" do
+      describe "only two tagged with specified 'filter_tag'" do
+        it "registers only two transactions" do
+          config = {"filter_tag" => 'transaction'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          insist { @filter.transactions.size } == 0
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100", "tags" => ['transaction']))
+          insist { @filter.transactions.size } == 1
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid2, "@timestamp" => "2018-04-22T09:46:22.100+0100"))
+          insist { @filter.transactions.size } == 1
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid2, "@timestamp" => "2018-04-22T09:46:22.100+0100", "tags" => ['unrelated']))
+          insist { @filter.transactions.size } == 1
+          @filter.filter(event("message" => "Log message", UID_FIELD => uid2, "@timestamp" => "2018-04-22T09:46:22.100+0100", "tags" => ['transaction']))
+          insist { @filter.transactions.size } == 2
+        end
+      end
+    end
+  end
+
+
+  context "Testing attach_event." do
+    uid = "9ACCA7B7-D0E9-4E52-A023-9D588E5BE42C"
+    describe "Config attach_event" do
+      describe "with 'first'" do
+        it "attaches info from first event in transaction" do
+          config = {"attach_event" => 'first'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "first", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "last", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("message") } != nil
+            insist { new_event.get("message") } == "first"
+          end
+        end
+      end
+      describe "with 'last'" do
+        it "attaches info from last event in transaction" do
+          config = {"attach_event" => 'last'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "first", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "last", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("message") } != nil
+            insist { new_event.get("message") } == "last"
+          end
+        end
+      end
+      describe "with 'oldest'" do
+        it "attaches info from oldest event in transaction" do
+          config = {"attach_event" => 'oldest'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "oldest", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "newest", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("message") } != nil
+            insist { new_event.get("message") } == "oldest"
+          end
+        end
+      end
+      describe "with 'newest'" do
+        it "attaches info from newest event in transaction" do
+          config = {"attach_event" => 'newest'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "oldest", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "newest", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("message") } != nil
+            insist { new_event.get("message") } == "newest"
+          end
+        end
+      end
+      describe "with 'none'" do
+        it "attaches no info from any event in transaction" do
+          config = {"attach_event" => 'none'}
+          @config.merge!(config)
+
+          @filter = LogStash::Filters::TransactionTime.new(@config)
+          @filter.register
+
+          @filter.filter(event("message" => "oldest", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.000+0100"))
+          @filter.filter(event("message" => "newest", UID_FIELD => uid, "@timestamp" => "2018-04-22T09:46:22.100+0100")) do | new_event |
+            insist { new_event } != nil
+            insist { new_event.get("tags").include?("TransactionTime") }
+            insist { new_event.get("message") } == nil
+          end
+        end
+      end
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,88 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-transaction_time
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Tommy Welleby
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-04-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
+email: tommy.welleby@addinit.se
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- README.md
+- lib/logstash/filters/transaction_time.rb
+- logstash-filter-transaction_time.gemspec
+- spec/filters/transaction_time_spec.rb
+- spec/spec_helper.rb
+homepage: http://addinit.se/
+licenses:
+- Apache-2.0
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.14.1
+signing_key:
+specification_version: 4
+summary: Writes the time difference between two events in a transaction to a new event
+test_files:
+- spec/filters/transaction_time_spec.rb
+- spec/spec_helper.rb