logstash-filter-transaction_time 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -3
- data/lib/logstash/filters/transaction_time.rb +67 -3
- data/logstash-filter-transaction_time.gemspec +2 -2
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 791175d5aab745baae8183abe08c091593f0d0ca
|
4
|
+
data.tar.gz: d6d2326111fb55b7b36816dbc068b3f63f8a58c3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3c6ec8cda7e6da7c3dd9b32c0a347a5bfd811d4ecf182341b8dd054bf3b94bcaa8b40c76ef3ad5447dcb073a83ccfaf51102c865a08d8f72182343740508e801
|
7
|
+
data.tar.gz: 9733638d214930bebae4a08f0aa22046a32bed7f12394df2ff6f7446e76004684d6e65a9bb2d44636b46c14427ac68ca21d792fcbd929fac1f528e1207710aa2
|
data/README.md
CHANGED
@@ -1,12 +1,13 @@
|
|
1
1
|
# About
|
2
|
-
This plugin is a substitute for the logstash-filter-elapsed plugin.
|
2
|
+
This plugin is a substitute for the [logstash-filter-elapsed](https://www.elastic.co/guide/en/logstash/current/plugins-filters-elapsed.html) plugin.
|
3
3
|
The elapsed-plugin requires a transaction to be executed in a specified order and then decorates the last part of the transaction (or creates a new event) with the elapsed time.
|
4
4
|
The order of which the parts of a transaction is received cannot always be predicted when using multiple workers for a pipeline.
|
5
5
|
Hence the need for this plugin.
|
6
6
|
This plugin, like elapsed, uses a unique identifier to pair events in a transaction.
|
7
7
|
But instead of defining a start and an end for a transaction - only the unique identifier is used.
|
8
|
-
|
9
|
-
|
8
|
+
Per default the transaction time is stored together with the unique identifier in a new event, which may be stored in the same or another index.
|
9
|
+
The information from the first, last, oldest or newest event may be attached with the new transaction_time event.
|
10
|
+
|
10
11
|
|
11
12
|
|
12
13
|
# Logstash Plugin
|
@@ -2,10 +2,74 @@
|
|
2
2
|
require "logstash/filters/base"
|
3
3
|
require "logstash/namespace"
|
4
4
|
|
5
|
-
#
|
6
|
-
# message field with whatever you specify in the configuration.
|
5
|
+
# The TransactionTime filter measures the time between two events in a transaction
|
7
6
|
#
|
8
|
-
#
|
7
|
+
# This filter is supposed to be used instead of logstash-filters-elapsed
|
8
|
+
# when you know that the order of a transaction cannot be guaranteed.
|
9
|
+
# Which is most likely the case if you are using multiple workers and
|
10
|
+
# a big amount of events are entering the pipeline in a rapid manner.
|
11
|
+
#
|
12
|
+
# # The configuration looks like this:
|
13
|
+
# [source,ruby]
|
14
|
+
# filter {
|
15
|
+
# transaction_time {
|
16
|
+
# uid_field => "Transaction-unique field"
|
17
|
+
# timeout => seconds
|
18
|
+
# timestamp_tag => "name of timestamp"
|
19
|
+
# replace_timestamp => ['keep', 'oldest', 'newest']
|
20
|
+
# filter_tag => "transaction tag"
|
21
|
+
# attach_event => ['first','last','oldest','newest','none']
|
22
|
+
# }
|
23
|
+
# }
|
24
|
+
#
|
25
|
+
#
|
26
|
+
# The only required parameter is "uid_field" which is used to identify
|
27
|
+
# the events in a transaction. A transaction is concidered complete
|
28
|
+
# when two events with the same UID has been captured.
|
29
|
+
# It is when a transaction completes that the transaction time is calculated.
|
30
|
+
#
|
31
|
+
# The timeout parameter determines the maximum length of a transaction.
|
32
|
+
# It is set to 300 (5 minutes) by default.
|
33
|
+
# The transaction will not be recorded if timeout duration is exceeded.
|
34
|
+
# The value of this parameter will have an impact on the memory footprint of the plugin.
|
35
|
+
#
|
36
|
+
# The timestamp_tag parameter may be used to select a specific field in the events to use
|
37
|
+
# when calculating the transaction time. The default field is @timestamp.
|
38
|
+
#
|
39
|
+
# The new event created when a transaction completes may set its own timestamp (default)
|
40
|
+
# to when it completes or it may use the timestamp of one of the events in the transaction.
|
41
|
+
# The parameter replace_timestamp is used specify this behaviour.
|
42
|
+
#
|
43
|
+
# Since this plugin exclusivly calculates the time between events in a transaction,
|
44
|
+
# it may be wise to filter out the events that are infact not transactions.
|
45
|
+
# This will help reduce both the memory footprint and processing time of this plugin,
|
46
|
+
# especially if the pipeline receives a lot of non-transactional events.
|
47
|
+
# You could use grok and/or mutate to apply this filter like this:
|
48
|
+
# [source,ruby]
|
49
|
+
# filter {
|
50
|
+
# grok{
|
51
|
+
# match => { "message" => "(?<message_type>.*)\t(?<msgbody>.*)\t+UID:%{UUID:uid}" }
|
52
|
+
# }
|
53
|
+
# if [message_type] in ["MaterialIdentified","Recipe","Result"."ReleaseMaterial"]{
|
54
|
+
# mutate {
|
55
|
+
# add_tag => "Transaction"
|
56
|
+
# }
|
57
|
+
# }
|
58
|
+
# transaction_time {
|
59
|
+
# uid_field => "Transaction-unique field"
|
60
|
+
# filter_tag => "transaction tag"
|
61
|
+
# }
|
62
|
+
# }
|
63
|
+
#
|
64
|
+
# In the example, grok is used to identify the message_type and then the tag "transaction"
|
65
|
+
# is added for a specific set of messages.
|
66
|
+
# This tag is then used in the transaction_time as filter_tag.
|
67
|
+
# Only the messages with this tag will be evaluated.
|
68
|
+
#
|
69
|
+
# The attach_event parameter can be used to append information from one of the events to the
|
70
|
+
# new transaction_time event. The default is to not attach anything.
|
71
|
+
# The memory footprint is kept to a minimum by using the default value.
|
72
|
+
|
9
73
|
class LogStash::Filters::TransactionTime < LogStash::Filters::Base
|
10
74
|
|
11
75
|
HOST_FIELD = "host"
|
@@ -1,9 +1,9 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = 'logstash-filter-transaction_time'
|
3
|
-
s.version = '1.0.
|
3
|
+
s.version = '1.0.1'
|
4
4
|
s.licenses = ['Apache-2.0','Apache License (2.0)']
|
5
5
|
s.summary = 'Writes the time difference between two events in a transaction to a new event'
|
6
|
-
s.description = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program'
|
6
|
+
s.description = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program. Source-code and documentation available at github: https://github.com/AddinITAB/logstash-filter-transaction_time'
|
7
7
|
s.homepage = 'http://addinit.se/'
|
8
8
|
s.authors = ['Tommy Welleby']
|
9
9
|
s.email = 'tommy.welleby@addinit.se'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-transaction_time
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tommy Welleby
|
@@ -38,9 +38,10 @@ dependencies:
|
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0'
|
41
|
-
description: This gem is a Logstash plugin required to be installed on top of the
|
41
|
+
description: 'This gem is a Logstash plugin required to be installed on top of the
|
42
42
|
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
43
|
-
gem is not a stand-alone program
|
43
|
+
gem is not a stand-alone program. Source-code and documentation available at github:
|
44
|
+
https://github.com/AddinITAB/logstash-filter-transaction_time'
|
44
45
|
email: tommy.welleby@addinit.se
|
45
46
|
executables: []
|
46
47
|
extensions: []
|