logstash-filter-translate 3.1.0 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e4b8c724a742d47aa89a6237e127be569f2675a19c5752e719918bff8489c77
-  data.tar.gz: 406d7e0417251e10d1142d19027af9557f9a0993782bb16780bcdc86c943bd5e
+  metadata.gz: 1e20474957ecdfeb11d3f64ada5ca4363c80f145d9c39ced2dc5c87be22f0759
+  data.tar.gz: 485d8d8dcaeccec44a33b67495e56717b317d8de581ed28d0105e12e065a78f3
 SHA512:
-  metadata.gz: e25757bc66a2b1afa15318161c6a8182f5258e9a8f395c870e0826224f6111bfa607950e678058a423aecb733f9f23edbbaed7778067f239269786afc76341d9
-  data.tar.gz: c84f492fad3418db7e18333658691fe5a8109c6dfc15589e88415198d348cce4fa05d4b966762072387441dec06210d6c7bf5fcc92fe5bec94ffe1b5026eba9d
+  metadata.gz: c2f7191f2ba0473849477e6b6fbee92cc48cfae294fa140d5700f4228771b88f0d3afdecaa2e9a668a743ff5df97cf13f915bc264179c0d4fff50588dba29af9
+  data.tar.gz: cf76f651c156343c0829d8be92d92adf1041ce235355fa005ca3cdcf000841e0aabaa3f39ace9dba31f824067459ec80ccb7c94e12e71b71af19256757be6f71

data/CHANGELOG.md

@@ -1,3 +1,30 @@
+## 3.3.0
+  - Feat: added ECS compatibility mode [#89](https://github.com/logstash-plugins/logstash-filter-translate/pull/89)
+    - deprecated `destination` option in favor of `target` to better align with other plugins
+    - deprecated `field` option in favor of `source` to better align with other plugins
+    - when ECS compatibility is enabled, default behaviour is an in-place translation
+  - Fix: improved error handling - do not rescue potentially fatal (JVM) errors
+
+## 3.2.3
+  - Fix to align with docs - looked-up values are always strings. Coerce better. [#77](https://github.com/logstash-plugins/logstash-filter-translate/pull/77)
+  - Fix bug in dictionary/file the always applied RegexExact, manifested when dictionary keys are not regex compatible [Logstash #9936](https://github.com/elastic/logstash/issues/9936)
+  - Added info to dictionary_path description to explain why integers must be quoted
+
+## 3.2.2
+  - Fix bug in csv_file when LS config has CSV filter plugin specified as well as a csv dictionary.
+  [#70](https://github.com/logstash-plugins/logstash-filter-translate/issues/70)
+
+## 3.2.1
+  - Updated formatting of examples in documentation for consistent rendering
+
+## 3.2.0
+  - Add `iterate_on` setting to support fields that are arrays, see the docs
+  for detailed explanation.
+  [#66](https://github.com/logstash-plugins/logstash-filter-translate/issues/66)
+  - Add Rufus::Scheduler to provide asynchronous loading of dictionary.
+  [#65](https://github.com/logstash-plugins/logstash-filter-translate/issues/65)
+  - Re-organise code, yields performance improvement of around 360%
+
 ## 3.1.0
   - Add 'refresh_behaviour' to either 'merge' or 'replace' during a refresh #57
 

data/LICENSE

@@ -1,13 +1,202 @@
-Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-    http://www.apache.org/licenses/LICENSE-2.0
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2020 Elastic and contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -1,6 +1,6 @@
 # Logstash Plugin
 
-[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-filter-translate.svg)](https://travis-ci.org/logstash-plugins/logstash-filter-translate)
+[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-filter-translate.svg)](https://travis-ci.com/logstash-plugins/logstash-filter-translate)
 
 This is a plugin for [Logstash](https://github.com/elastic/logstash).
 

data/docs/index.asciidoc

@@ -21,28 +21,71 @@ include::{include_path}/plugin_header.asciidoc[]
 ==== Description
 
 A general search and replace tool that uses a configured hash
-and/or a file to determine replacement values. Currently supported are 
-YAML, JSON, and CSV files.
+and/or a file to determine replacement values. Currently supported are
+YAML, JSON, and CSV files. Each dictionary item is a key value pair.
 
-The dictionary entries can be specified in one of two ways: First,
-the `dictionary` configuration item may contain a hash representing
-the mapping. Second, an external file (readable by logstash) may be specified
-in the `dictionary_path` configuration item. These two methods may not be used
-in conjunction; it will produce an error.
+You can specify dictionary entries in one of two ways: 
 
-Operationally, if the event field specified in the `field` configuration
-matches the EXACT contents of a dictionary entry key (or matches a regex if
-`regex` configuration item has been enabled), the field's value will be substituted
-with the matched key's value from the dictionary.
+* The `dictionary` configuration item can contain a hash representing
+the mapping. 
+* An external file (readable by logstash) may be specified in the
+`dictionary_path` configuration item. 
 
-By default, the translate filter will replace the contents of the 
-maching event field (in-place). However, by using the `destination`
-configuration item, you may also specify a target event field to
-populate with the new translated value.
+These two methods may not be used in conjunction; it will produce an error.
+
+Operationally, for each event, the value from the `source` setting is tested
+against the dictionary and if it matches exactly (or matches a regex when
+`regex` configuration item has been enabled), the matched value is put in the
+`target` field, but on no match the `fallback` setting string is used instead.
+
+Example:
+[source,ruby]
+----
+    filter {
+      translate {
+        source => "[http][response][status_code]"
+        target => "[http_status_description]"
+        dictionary => {
+          "100" => "Continue"
+          "101" => "Switching Protocols"
+          "200" => "OK"
+          "500" => "Server Error"
+        }
+        fallback => "I'm a teapot"
+      }
+    }
+----
+
+Occasionally, people find that they have a field with a variable sized array of
+values or objects that need some enrichment. The `iterate_on` setting helps in
+these cases.
 
 Alternatively, for simple string search and replacements for just a few values
 you might consider using the gsub function of the mutate filter.
 
+It is possible to provide multi-valued dictionary values. When using a YAML or
+JSON dictionary, you can have the value as a hash (map) or an array datatype.
+When using a CSV dictionary, multiple values in the translation must be
+extracted with another filter e.g. Dissect or KV. +
+Note that the `fallback` is a string so on no match the fallback setting needs
+to formatted so that a filter can extract the multiple values to the correct fields.
+
+File based dictionaries are loaded in a separate thread using a scheduler.
+If you set a `refresh_interval` of 300 seconds (5 minutes) or less then the
+modified time of the file is checked before reloading. Very large dictionaries
+are supported, internally tested at 100 000 key/values, and we minimise
+the impact on throughput by having the refresh in the scheduler thread.
+Any ongoing modification of the dictionary file should be done using a
+copy/edit/rename or create/rename mechanism to avoid the refresh code from
+processing half-baked dictionary content.
+
+[id="plugins-{type}s-{plugin}-ecs_metadata"]
+==== Compatibility with the Elastic Common Schema (ECS)
+
+The plugin acts as an in-place translator if `source` and `target` are the same
+and does not produce any new event fields.
+This is the default behavior in <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>>.
+
 [id="plugins-{type}s-{plugin}-options"]
 ==== Translate Filter Configuration Options
 
@@ -54,13 +97,17 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-destination>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-dictionary>> |<<hash,hash>>|No
 | <<plugins-{type}s-{plugin}-dictionary_path>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-ecs_compatibility>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-exact>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-fallback>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-field>> |<<string,string>>|Yes
+| <<plugins-{type}s-{plugin}-field>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-iterate_on>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-override>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-refresh_interval>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-regex>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-source>> |<<string,string>>|Yes
 | <<plugins-{type}s-{plugin}-refresh_behaviour>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-target>> |<<string,string>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -69,65 +116,84 @@ filter plugins.
 &nbsp;
 
 [id="plugins-{type}s-{plugin}-destination"]
-===== `destination` 
+===== `destination`
 
   * Value type is <<string,string>>
-  * Default value is `"translation"`
+  * Deprecated alias for <<plugins-{type}s-{plugin}-target>> setting.
 
-The destination field you wish to populate with the translated code. The default
-is a field named `translation`. Set this to the same value as source if you want
-to do a substitution, in this case filter will allways succeed. This will clobber
-the old value of the source field! 
+deprecated[3.3.0, Use <<plugins-{type}s-{plugin}-target>> instead. In 4.0 this setting will be removed.]
 
 [id="plugins-{type}s-{plugin}-dictionary"]
-===== `dictionary` 
+===== `dictionary`
 
   * Value type is <<hash,hash>>
   * Default value is `{}`
 
 The dictionary to use for translation, when specified in the logstash filter
-configuration item (i.e. do not use the `@dictionary_path` file).
+configuration item (i.e. do not use the `dictionary_path` file).
 
 Example:
 [source,ruby]
+----
     filter {
       translate {
-        dictionary => { 
-          "100"         => "Continue",
-          "101"         => "Switching Protocols",
-          "merci"       => "thank you",
+        dictionary => {
+          "100"         => "Continue"
+          "101"         => "Switching Protocols"
+          "merci"       => "thank you"
           "old version" => "new version"
         }
       }
     }
+----
 
 NOTE: It is an error to specify both `dictionary` and `dictionary_path`.
 
 [id="plugins-{type}s-{plugin}-dictionary_path"]
-===== `dictionary_path` 
+===== `dictionary_path`
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
 
-The full path of the external dictionary file. The format of the table
-should be a standard YAML, JSON, or CSV. Make sure you specify any integer-based keys
-in quotes. For example, the YAML file should look something like this:
+The full path of the external dictionary file. The format of the table should be
+a standard YAML, JSON, or CSV. 
+
+Specify any integer-based keys in quotes. The value taken from the event's
+`source` setting is converted to a string. The lookup dictionary keys must also
+be strings, and the quotes make the integer-based keys function as a string.
+For example, the YAML file should look something like this:
+
 [source,ruby]
+----
     "100": Continue
     "101": Switching Protocols
     merci: gracias
     old version: new version
+----
 
-NOTE: it is an error to specify both `dictionary` and `dictionary_path`.
+NOTE: It is an error to specify both `dictionary` and `dictionary_path`.
 
 The currently supported formats are YAML, JSON, and CSV. Format selection is
 based on the file extension: `json` for JSON, `yaml` or `yml` for YAML, and
-`csv` for CSV. The JSON format only supports simple key/value, unnested
-objects. The CSV format expects exactly two columns, with the first serving
-as the original text, and the second column as the replacement.
+`csv` for CSV. The CSV format expects exactly two columns, with the first serving
+as the original text (lookup key), and the second column as the translation.
+
+[id="plugins-{type}s-{plugin}-ecs_compatibility"]
+===== `ecs_compatibility`
+
+  * Value type is <<string,string>>
+  * Supported values are:
+    ** `disabled`: disabled ECS-compatibility
+    ** `v1`, `v8`: compatibility with the specified major version of the Elastic Common Schema
+  * Default value depends on which version of Logstash is running:
+    ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+    ** Otherwise, the default value is `disabled`.
+
+Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
+The value of this setting affects the _default_ value of <<plugins-{type}s-{plugin}-target>>.
 
 [id="plugins-{type}s-{plugin}-exact"]
-===== `exact` 
+===== `exact`
 
   * Value type is <<boolean,boolean>>
   * Default value is `true`
@@ -139,7 +205,9 @@ destination field's data, with the translated value substituted in-place.
 
 For example, consider this simple translation.yml, configured to check the `data` field:
 [source,ruby]
+----
     foo: bar
+----
 
 If logstash receives an event with the `data` field set to `foo`, and `exact => true`,
 the destination field will be populated with the string `bar`.
@@ -148,10 +216,10 @@ will be also set to `bar`. However, if logstash receives an event with the `data
 set to `foofing`, the destination field will be set to `barfing`.
 
 Set both `exact => true` AND `regex => `true` if you would like to match using dictionary
-keys as regular expressions. A large dictionary could be expensive to match in this case. 
+keys as regular expressions. A large dictionary could be expensive to match in this case.
 
 [id="plugins-{type}s-{plugin}-fallback"]
-===== `fallback` 
+===== `fallback`
 
   * Value type is <<string,string>>
   * There is no default value for this setting.
@@ -161,7 +229,9 @@ translation string, which will always populate `field`, if the match failed.
 
 For example, if we have configured `fallback => "no match"`, using this dictionary:
 [source,ruby]
+----
     foo: bar
+----
 
 Then, if logstash received an event with the field `foo` set to `bar`, the destination
 field would be set to `bar`. However, if logstash received an event with `foo` set to `nope`,
@@ -169,44 +239,151 @@ then the destination field would still be populated, but with the value of `no m
 This configuration can be dynamic and include parts of the event using the `%{field}` syntax.
 
 [id="plugins-{type}s-{plugin}-field"]
-===== `field` 
+===== `field`
+
+  * Value type is <<string,string>>
+  * Deprecated alias for <<plugins-{type}s-{plugin}-source>> setting.
+
+deprecated[3.3.0, Use <<plugins-{type}s-{plugin}-source>> instead. In 4.0 this setting will be removed.]
+
+[id="plugins-{type}s-{plugin}-iterate_on"]
+===== `iterate_on`
 
-  * This is a required setting.
   * Value type is <<string,string>>
   * There is no default value for this setting.
 
-The name of the logstash event field containing the value to be compared for a
-match by the translate filter (e.g. `message`, `host`, `response_code`). 
+When the value that you need to perform enrichment on is a variable sized array
+then specify the field name in this setting. This setting introduces two modes,
+1) when the value is an array of strings and 2) when the value is an array of
+objects (as in JSON object). +
+In the first mode, you should have the same field name in both `source` and
+`iterate_on`, the result will be an array added to the field specified in the
+`target` setting. This array will have the looked up value (or the
+`fallback` value or nil) in same ordinal position as each sought value. +
+In the second mode, specify the field that has the array of objects in
+`iterate_on` then specify the field in each object that provides the sought value
+with `source` and the field to write the looked up value (or the `fallback` value)
+to with `target`.
+
+For a dictionary of:
+[source,csv]
+----
+  100,Yuki
+  101,Rupert
+  102,Ahmed
+  103,Kwame
+----
+
+Example of Mode 1
+[source,ruby]
+    filter {
+      translate {
+        iterate_on => "[collaborator_ids]"
+        source     => "[collaborator_ids]"
+        target     => "[collaborator_names]"
+        fallback => "Unknown"
+      }
+    }
 
-If this field is an array, only the first value will be used.
+Before
+[source,json]
+  {
+    "collaborator_ids": [100,103,110,102]
+  }
+
+After
+[source,json]
+  {
+    "collaborator_ids": [100,103,110,102],
+    "collabrator_names": ["Yuki","Kwame","Unknown","Ahmed"]
+  }
+
+Example of Mode 2
+[source,ruby]
+    filter {
+      translate {
+        iterate_on => "[collaborators]"
+        source     => "[id]"
+        target     => "[name]"
+        fallback   => "Unknown"
+      }
+    }
+
+Before
+[source,json]
+  {
+    "collaborators": [
+      {
+        "id": 100
+      },
+      {
+        "id": 103
+      },
+      {
+        "id": 110
+      },
+      {
+        "id": 101
+      }
+    ]
+  }
+
+After
+[source,json]
+  {
+    "collaborators": [
+      {
+        "id": 100,
+        "name": "Yuki"
+      },
+      {
+        "id": 103,
+        "name": "Kwame"
+      },
+      {
+        "id": 110,
+        "name": "Unknown"
+      },
+      {
+        "id": 101,
+        "name": "Rupert"
+      }
+    ]
+  }
 
 [id="plugins-{type}s-{plugin}-override"]
-===== `override` 
+===== `override`
 
   * Value type is <<boolean,boolean>>
-  * Default value is `false`
+  * Default value depends on whether in-place translation is being used
+
+If the destination (or target) field already exists, this configuration option controls
+whether the filter skips translation (default behavior) or overwrites the target
+field value with the new translation value.
 
-If the destination (or target) field already exists, this configuration item specifies
-whether the filter should skip translation (default) or overwrite the target field
-value with the new translation value.
+In case of in-place translation, where `target` is the same as `source` (such as when
+<<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled), overwriting is allowed.
 
 [id="plugins-{type}s-{plugin}-refresh_interval"]
-===== `refresh_interval` 
+===== `refresh_interval`
 
   * Value type is <<number,number>>
   * Default value is `300`
 
 When using a dictionary file, this setting will indicate how frequently
-(in seconds) logstash will check the dictionary file for updates.
+(in seconds) logstash will check the dictionary file for updates. +
+A value of zero or less will disable refresh.
 
 [id="plugins-{type}s-{plugin}-regex"]
-===== `regex` 
+===== `regex`
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
 
-If you'd like to treat dictionary keys as regular expressions, set `exact => true`.
-Note: this is activated only when `exact => true`.
+To treat dictionary keys as regular expressions, set `regex => true`.
+
+Be sure to escape dictionary key strings for use with regex.
+Resources on regex formatting are available online.
 
 [id="plugins-{type}s-{plugin}-refresh_behaviour"]
 ===== `refresh_behaviour`
@@ -215,10 +392,34 @@ Note: this is activated only when `exact => true`.
   * Default value is `merge`
 
 When using a dictionary file, this setting indicates how the update will be executed.
-Setting this to `merge` leads to entries removed from the dictionary file being kept;
-`replace` deletes old entries on update.
+Setting this to `merge` causes the new dictionary to be merged into the old one. This means
+same entry will be updated but entries that existed before but not in the new dictionary
+will remain after the merge; `replace` causes the whole dictionary to be replaced
+with a new one (deleting all entries of the old one on update).
+
+[id="plugins-{type}s-{plugin}-source"]
+===== `source`
+
+* This is a required setting.
+* Value type is <<string,string>>
+* There is no default value for this setting.
 
+The name of the logstash event field containing the value to be compared for a
+match by the translate filter (e.g. `message`, `host`, `response_code`).
+
+If this field is an array, only the first value will be used.
+
+[id="plugins-{type}s-{plugin}-target"]
+===== `target`
+
+  * Value type is <<string,string>>
+  * Default value depends on whether <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled:
+    ** ECS Compatibility disabled: `"translation"`
+    ** ECS Compatibility enabled: defaults to the same value as `source`
 
+The target field you wish to populate with the translated code.
+If you set this value to the same value as `source` field, the plugin does a substitution, and
+the filter will succeed. This will clobber the old value of the source field!
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]