logstash-filter-translate 3.1.0 → 3.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +27 -0
- data/LICENSE +199 -10
- data/README.md +1 -1
- data/docs/index.asciidoc +257 -56
- data/lib/logstash/filters/array_of_maps_value_update.rb +44 -0
- data/lib/logstash/filters/array_of_values_update.rb +47 -0
- data/lib/logstash/filters/dictionary/csv_file.rb +25 -0
- data/lib/logstash/filters/dictionary/file.rb +143 -0
- data/lib/logstash/filters/dictionary/json_file.rb +87 -0
- data/lib/logstash/filters/dictionary/memory.rb +32 -0
- data/lib/logstash/filters/dictionary/yaml_file.rb +24 -0
- data/lib/logstash/filters/dictionary/yaml_visitor.rb +42 -0
- data/lib/logstash/filters/fetch_strategy/file.rb +81 -0
- data/lib/logstash/filters/fetch_strategy/memory.rb +52 -0
- data/lib/logstash/filters/single_value_update.rb +49 -0
- data/lib/logstash/filters/translate.rb +104 -158
- data/logstash-filter-translate.gemspec +8 -1
- data/spec/filters/benchmark_rspec.rb +69 -0
- data/spec/filters/scheduling_spec.rb +201 -0
- data/spec/filters/translate_spec.rb +463 -73
- data/spec/filters/yaml_visitor_spec.rb +16 -0
- data/spec/fixtures/regex_dict.csv +4 -0
- data/spec/fixtures/regex_union_dict.csv +4 -0
- data/spec/fixtures/tag-map-dict.yml +21 -0
- data/spec/fixtures/tag-omap-dict.yml +21 -0
- data/spec/support/build_huge_dictionaries.rb +33 -0
- data/spec/support/rspec_wait_handler_helper.rb +38 -0
- metadata +129 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1e20474957ecdfeb11d3f64ada5ca4363c80f145d9c39ced2dc5c87be22f0759
|
4
|
+
data.tar.gz: 485d8d8dcaeccec44a33b67495e56717b317d8de581ed28d0105e12e065a78f3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c2f7191f2ba0473849477e6b6fbee92cc48cfae294fa140d5700f4228771b88f0d3afdecaa2e9a668a743ff5df97cf13f915bc264179c0d4fff50588dba29af9
|
7
|
+
data.tar.gz: cf76f651c156343c0829d8be92d92adf1041ce235355fa005ca3cdcf000841e0aabaa3f39ace9dba31f824067459ec80ccb7c94e12e71b71af19256757be6f71
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,30 @@
|
|
1
|
+
## 3.3.0
|
2
|
+
- Feat: added ECS compatibility mode [#89](https://github.com/logstash-plugins/logstash-filter-translate/pull/89)
|
3
|
+
- deprecated `destination` option in favor of `target` to better align with other plugins
|
4
|
+
- deprecated `field` option in favor of `source` to better align with other plugins
|
5
|
+
- when ECS compatibility is enabled, default behaviour is an in-place translation
|
6
|
+
- Fix: improved error handling - do not rescue potentially fatal (JVM) errors
|
7
|
+
|
8
|
+
## 3.2.3
|
9
|
+
- Fix to align with docs - looked-up values are always strings. Coerce better. [#77](https://github.com/logstash-plugins/logstash-filter-translate/pull/77)
|
10
|
+
- Fix bug in dictionary/file the always applied RegexExact, manifested when dictionary keys are not regex compatible [Logstash #9936](https://github.com/elastic/logstash/issues/9936)
|
11
|
+
- Added info to dictionary_path description to explain why integers must be quoted
|
12
|
+
|
13
|
+
## 3.2.2
|
14
|
+
- Fix bug in csv_file when LS config has CSV filter plugin specified as well as a csv dictionary.
|
15
|
+
[#70](https://github.com/logstash-plugins/logstash-filter-translate/issues/70)
|
16
|
+
|
17
|
+
## 3.2.1
|
18
|
+
- Updated formatting of examples in documentation for consistent rendering
|
19
|
+
|
20
|
+
## 3.2.0
|
21
|
+
- Add `iterate_on` setting to support fields that are arrays, see the docs
|
22
|
+
for detailed explanation.
|
23
|
+
[#66](https://github.com/logstash-plugins/logstash-filter-translate/issues/66)
|
24
|
+
- Add Rufus::Scheduler to provide asynchronous loading of dictionary.
|
25
|
+
[#65](https://github.com/logstash-plugins/logstash-filter-translate/issues/65)
|
26
|
+
- Re-organise code, yields performance improvement of around 360%
|
27
|
+
|
1
28
|
## 3.1.0
|
2
29
|
- Add 'refresh_behaviour' to either 'merge' or 'replace' during a refresh #57
|
3
30
|
|
data/LICENSE
CHANGED
@@ -1,13 +1,202 @@
|
|
1
|
-
Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
|
2
1
|
|
3
|
-
|
4
|
-
|
5
|
-
|
2
|
+
Apache License
|
3
|
+
Version 2.0, January 2004
|
4
|
+
http://www.apache.org/licenses/
|
6
5
|
|
7
|
-
|
6
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
8
7
|
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
8
|
+
1. Definitions.
|
9
|
+
|
10
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
11
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
12
|
+
|
13
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
14
|
+
the copyright owner that is granting the License.
|
15
|
+
|
16
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
17
|
+
other entities that control, are controlled by, or are under common
|
18
|
+
control with that entity. For the purposes of this definition,
|
19
|
+
"control" means (i) the power, direct or indirect, to cause the
|
20
|
+
direction or management of such entity, whether by contract or
|
21
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
22
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
23
|
+
|
24
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
25
|
+
exercising permissions granted by this License.
|
26
|
+
|
27
|
+
"Source" form shall mean the preferred form for making modifications,
|
28
|
+
including but not limited to software source code, documentation
|
29
|
+
source, and configuration files.
|
30
|
+
|
31
|
+
"Object" form shall mean any form resulting from mechanical
|
32
|
+
transformation or translation of a Source form, including but
|
33
|
+
not limited to compiled object code, generated documentation,
|
34
|
+
and conversions to other media types.
|
35
|
+
|
36
|
+
"Work" shall mean the work of authorship, whether in Source or
|
37
|
+
Object form, made available under the License, as indicated by a
|
38
|
+
copyright notice that is included in or attached to the work
|
39
|
+
(an example is provided in the Appendix below).
|
40
|
+
|
41
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
42
|
+
form, that is based on (or derived from) the Work and for which the
|
43
|
+
editorial revisions, annotations, elaborations, or other modifications
|
44
|
+
represent, as a whole, an original work of authorship. For the purposes
|
45
|
+
of this License, Derivative Works shall not include works that remain
|
46
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
47
|
+
the Work and Derivative Works thereof.
|
48
|
+
|
49
|
+
"Contribution" shall mean any work of authorship, including
|
50
|
+
the original version of the Work and any modifications or additions
|
51
|
+
to that Work or Derivative Works thereof, that is intentionally
|
52
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
53
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
54
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
55
|
+
means any form of electronic, verbal, or written communication sent
|
56
|
+
to the Licensor or its representatives, including but not limited to
|
57
|
+
communication on electronic mailing lists, source code control systems,
|
58
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
59
|
+
Licensor for the purpose of discussing and improving the Work, but
|
60
|
+
excluding communication that is conspicuously marked or otherwise
|
61
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
62
|
+
|
63
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
64
|
+
on behalf of whom a Contribution has been received by Licensor and
|
65
|
+
subsequently incorporated within the Work.
|
66
|
+
|
67
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
68
|
+
this License, each Contributor hereby grants to You a perpetual,
|
69
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
70
|
+
copyright license to reproduce, prepare Derivative Works of,
|
71
|
+
publicly display, publicly perform, sublicense, and distribute the
|
72
|
+
Work and such Derivative Works in Source or Object form.
|
73
|
+
|
74
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
75
|
+
this License, each Contributor hereby grants to You a perpetual,
|
76
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
77
|
+
(except as stated in this section) patent license to make, have made,
|
78
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
79
|
+
where such license applies only to those patent claims licensable
|
80
|
+
by such Contributor that are necessarily infringed by their
|
81
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
82
|
+
with the Work to which such Contribution(s) was submitted. If You
|
83
|
+
institute patent litigation against any entity (including a
|
84
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
85
|
+
or a Contribution incorporated within the Work constitutes direct
|
86
|
+
or contributory patent infringement, then any patent licenses
|
87
|
+
granted to You under this License for that Work shall terminate
|
88
|
+
as of the date such litigation is filed.
|
89
|
+
|
90
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
91
|
+
Work or Derivative Works thereof in any medium, with or without
|
92
|
+
modifications, and in Source or Object form, provided that You
|
93
|
+
meet the following conditions:
|
94
|
+
|
95
|
+
(a) You must give any other recipients of the Work or
|
96
|
+
Derivative Works a copy of this License; and
|
97
|
+
|
98
|
+
(b) You must cause any modified files to carry prominent notices
|
99
|
+
stating that You changed the files; and
|
100
|
+
|
101
|
+
(c) You must retain, in the Source form of any Derivative Works
|
102
|
+
that You distribute, all copyright, patent, trademark, and
|
103
|
+
attribution notices from the Source form of the Work,
|
104
|
+
excluding those notices that do not pertain to any part of
|
105
|
+
the Derivative Works; and
|
106
|
+
|
107
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
108
|
+
distribution, then any Derivative Works that You distribute must
|
109
|
+
include a readable copy of the attribution notices contained
|
110
|
+
within such NOTICE file, excluding those notices that do not
|
111
|
+
pertain to any part of the Derivative Works, in at least one
|
112
|
+
of the following places: within a NOTICE text file distributed
|
113
|
+
as part of the Derivative Works; within the Source form or
|
114
|
+
documentation, if provided along with the Derivative Works; or,
|
115
|
+
within a display generated by the Derivative Works, if and
|
116
|
+
wherever such third-party notices normally appear. The contents
|
117
|
+
of the NOTICE file are for informational purposes only and
|
118
|
+
do not modify the License. You may add Your own attribution
|
119
|
+
notices within Derivative Works that You distribute, alongside
|
120
|
+
or as an addendum to the NOTICE text from the Work, provided
|
121
|
+
that such additional attribution notices cannot be construed
|
122
|
+
as modifying the License.
|
123
|
+
|
124
|
+
You may add Your own copyright statement to Your modifications and
|
125
|
+
may provide additional or different license terms and conditions
|
126
|
+
for use, reproduction, or distribution of Your modifications, or
|
127
|
+
for any such Derivative Works as a whole, provided Your use,
|
128
|
+
reproduction, and distribution of the Work otherwise complies with
|
129
|
+
the conditions stated in this License.
|
130
|
+
|
131
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
132
|
+
any Contribution intentionally submitted for inclusion in the Work
|
133
|
+
by You to the Licensor shall be under the terms and conditions of
|
134
|
+
this License, without any additional terms or conditions.
|
135
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
136
|
+
the terms of any separate license agreement you may have executed
|
137
|
+
with Licensor regarding such Contributions.
|
138
|
+
|
139
|
+
6. Trademarks. This License does not grant permission to use the trade
|
140
|
+
names, trademarks, service marks, or product names of the Licensor,
|
141
|
+
except as required for reasonable and customary use in describing the
|
142
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
143
|
+
|
144
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
145
|
+
agreed to in writing, Licensor provides the Work (and each
|
146
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
147
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
148
|
+
implied, including, without limitation, any warranties or conditions
|
149
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
150
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
151
|
+
appropriateness of using or redistributing the Work and assume any
|
152
|
+
risks associated with Your exercise of permissions under this License.
|
153
|
+
|
154
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
155
|
+
whether in tort (including negligence), contract, or otherwise,
|
156
|
+
unless required by applicable law (such as deliberate and grossly
|
157
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
158
|
+
liable to You for damages, including any direct, indirect, special,
|
159
|
+
incidental, or consequential damages of any character arising as a
|
160
|
+
result of this License or out of the use or inability to use the
|
161
|
+
Work (including but not limited to damages for loss of goodwill,
|
162
|
+
work stoppage, computer failure or malfunction, or any and all
|
163
|
+
other commercial damages or losses), even if such Contributor
|
164
|
+
has been advised of the possibility of such damages.
|
165
|
+
|
166
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
167
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
168
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
169
|
+
or other liability obligations and/or rights consistent with this
|
170
|
+
License. However, in accepting such obligations, You may act only
|
171
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
172
|
+
of any other Contributor, and only if You agree to indemnify,
|
173
|
+
defend, and hold each Contributor harmless for any liability
|
174
|
+
incurred by, or claims asserted against, such Contributor by reason
|
175
|
+
of your accepting any such warranty or additional liability.
|
176
|
+
|
177
|
+
END OF TERMS AND CONDITIONS
|
178
|
+
|
179
|
+
APPENDIX: How to apply the Apache License to your work.
|
180
|
+
|
181
|
+
To apply the Apache License to your work, attach the following
|
182
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
183
|
+
replaced with your own identifying information. (Don't include
|
184
|
+
the brackets!) The text should be enclosed in the appropriate
|
185
|
+
comment syntax for the file format. We also recommend that a
|
186
|
+
file or class name and description of purpose be included on the
|
187
|
+
same "printed page" as the copyright notice for easier
|
188
|
+
identification within third-party archives.
|
189
|
+
|
190
|
+
Copyright 2020 Elastic and contributors
|
191
|
+
|
192
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
193
|
+
you may not use this file except in compliance with the License.
|
194
|
+
You may obtain a copy of the License at
|
195
|
+
|
196
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
197
|
+
|
198
|
+
Unless required by applicable law or agreed to in writing, software
|
199
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
200
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
201
|
+
See the License for the specific language governing permissions and
|
202
|
+
limitations under the License.
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Logstash Plugin
|
2
2
|
|
3
|
-
[![Travis Build Status](https://travis-ci.
|
3
|
+
[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-filter-translate.svg)](https://travis-ci.com/logstash-plugins/logstash-filter-translate)
|
4
4
|
|
5
5
|
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
6
6
|
|
data/docs/index.asciidoc
CHANGED
@@ -21,28 +21,71 @@ include::{include_path}/plugin_header.asciidoc[]
|
|
21
21
|
==== Description
|
22
22
|
|
23
23
|
A general search and replace tool that uses a configured hash
|
24
|
-
and/or a file to determine replacement values. Currently supported are
|
25
|
-
YAML, JSON, and CSV files.
|
24
|
+
and/or a file to determine replacement values. Currently supported are
|
25
|
+
YAML, JSON, and CSV files. Each dictionary item is a key value pair.
|
26
26
|
|
27
|
-
|
28
|
-
the `dictionary` configuration item may contain a hash representing
|
29
|
-
the mapping. Second, an external file (readable by logstash) may be specified
|
30
|
-
in the `dictionary_path` configuration item. These two methods may not be used
|
31
|
-
in conjunction; it will produce an error.
|
27
|
+
You can specify dictionary entries in one of two ways:
|
32
28
|
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
29
|
+
* The `dictionary` configuration item can contain a hash representing
|
30
|
+
the mapping.
|
31
|
+
* An external file (readable by logstash) may be specified in the
|
32
|
+
`dictionary_path` configuration item.
|
37
33
|
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
34
|
+
These two methods may not be used in conjunction; it will produce an error.
|
35
|
+
|
36
|
+
Operationally, for each event, the value from the `source` setting is tested
|
37
|
+
against the dictionary and if it matches exactly (or matches a regex when
|
38
|
+
`regex` configuration item has been enabled), the matched value is put in the
|
39
|
+
`target` field, but on no match the `fallback` setting string is used instead.
|
40
|
+
|
41
|
+
Example:
|
42
|
+
[source,ruby]
|
43
|
+
----
|
44
|
+
filter {
|
45
|
+
translate {
|
46
|
+
source => "[http][response][status_code]"
|
47
|
+
target => "[http_status_description]"
|
48
|
+
dictionary => {
|
49
|
+
"100" => "Continue"
|
50
|
+
"101" => "Switching Protocols"
|
51
|
+
"200" => "OK"
|
52
|
+
"500" => "Server Error"
|
53
|
+
}
|
54
|
+
fallback => "I'm a teapot"
|
55
|
+
}
|
56
|
+
}
|
57
|
+
----
|
58
|
+
|
59
|
+
Occasionally, people find that they have a field with a variable sized array of
|
60
|
+
values or objects that need some enrichment. The `iterate_on` setting helps in
|
61
|
+
these cases.
|
42
62
|
|
43
63
|
Alternatively, for simple string search and replacements for just a few values
|
44
64
|
you might consider using the gsub function of the mutate filter.
|
45
65
|
|
66
|
+
It is possible to provide multi-valued dictionary values. When using a YAML or
|
67
|
+
JSON dictionary, you can have the value as a hash (map) or an array datatype.
|
68
|
+
When using a CSV dictionary, multiple values in the translation must be
|
69
|
+
extracted with another filter e.g. Dissect or KV. +
|
70
|
+
Note that the `fallback` is a string so on no match the fallback setting needs
|
71
|
+
to formatted so that a filter can extract the multiple values to the correct fields.
|
72
|
+
|
73
|
+
File based dictionaries are loaded in a separate thread using a scheduler.
|
74
|
+
If you set a `refresh_interval` of 300 seconds (5 minutes) or less then the
|
75
|
+
modified time of the file is checked before reloading. Very large dictionaries
|
76
|
+
are supported, internally tested at 100 000 key/values, and we minimise
|
77
|
+
the impact on throughput by having the refresh in the scheduler thread.
|
78
|
+
Any ongoing modification of the dictionary file should be done using a
|
79
|
+
copy/edit/rename or create/rename mechanism to avoid the refresh code from
|
80
|
+
processing half-baked dictionary content.
|
81
|
+
|
82
|
+
[id="plugins-{type}s-{plugin}-ecs_metadata"]
|
83
|
+
==== Compatibility with the Elastic Common Schema (ECS)
|
84
|
+
|
85
|
+
The plugin acts as an in-place translator if `source` and `target` are the same
|
86
|
+
and does not produce any new event fields.
|
87
|
+
This is the default behavior in <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>>.
|
88
|
+
|
46
89
|
[id="plugins-{type}s-{plugin}-options"]
|
47
90
|
==== Translate Filter Configuration Options
|
48
91
|
|
@@ -54,13 +97,17 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
54
97
|
| <<plugins-{type}s-{plugin}-destination>> |<<string,string>>|No
|
55
98
|
| <<plugins-{type}s-{plugin}-dictionary>> |<<hash,hash>>|No
|
56
99
|
| <<plugins-{type}s-{plugin}-dictionary_path>> |a valid filesystem path|No
|
100
|
+
| <<plugins-{type}s-{plugin}-ecs_compatibility>> |<<string,string>>|No
|
57
101
|
| <<plugins-{type}s-{plugin}-exact>> |<<boolean,boolean>>|No
|
58
102
|
| <<plugins-{type}s-{plugin}-fallback>> |<<string,string>>|No
|
59
|
-
| <<plugins-{type}s-{plugin}-field>> |<<string,string>>|
|
103
|
+
| <<plugins-{type}s-{plugin}-field>> |<<string,string>>|No
|
104
|
+
| <<plugins-{type}s-{plugin}-iterate_on>> |<<string,string>>|No
|
60
105
|
| <<plugins-{type}s-{plugin}-override>> |<<boolean,boolean>>|No
|
61
106
|
| <<plugins-{type}s-{plugin}-refresh_interval>> |<<number,number>>|No
|
62
107
|
| <<plugins-{type}s-{plugin}-regex>> |<<boolean,boolean>>|No
|
108
|
+
| <<plugins-{type}s-{plugin}-source>> |<<string,string>>|Yes
|
63
109
|
| <<plugins-{type}s-{plugin}-refresh_behaviour>> |<<string,string>>|No
|
110
|
+
| <<plugins-{type}s-{plugin}-target>> |<<string,string>>|No
|
64
111
|
|=======================================================================
|
65
112
|
|
66
113
|
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
@@ -69,65 +116,84 @@ filter plugins.
|
|
69
116
|
|
70
117
|
|
71
118
|
[id="plugins-{type}s-{plugin}-destination"]
|
72
|
-
===== `destination`
|
119
|
+
===== `destination`
|
73
120
|
|
74
121
|
* Value type is <<string,string>>
|
75
|
-
*
|
122
|
+
* Deprecated alias for <<plugins-{type}s-{plugin}-target>> setting.
|
76
123
|
|
77
|
-
|
78
|
-
is a field named `translation`. Set this to the same value as source if you want
|
79
|
-
to do a substitution, in this case filter will allways succeed. This will clobber
|
80
|
-
the old value of the source field!
|
124
|
+
deprecated[3.3.0, Use <<plugins-{type}s-{plugin}-target>> instead. In 4.0 this setting will be removed.]
|
81
125
|
|
82
126
|
[id="plugins-{type}s-{plugin}-dictionary"]
|
83
|
-
===== `dictionary`
|
127
|
+
===== `dictionary`
|
84
128
|
|
85
129
|
* Value type is <<hash,hash>>
|
86
130
|
* Default value is `{}`
|
87
131
|
|
88
132
|
The dictionary to use for translation, when specified in the logstash filter
|
89
|
-
configuration item (i.e. do not use the
|
133
|
+
configuration item (i.e. do not use the `dictionary_path` file).
|
90
134
|
|
91
135
|
Example:
|
92
136
|
[source,ruby]
|
137
|
+
----
|
93
138
|
filter {
|
94
139
|
translate {
|
95
|
-
dictionary => {
|
96
|
-
"100" => "Continue"
|
97
|
-
"101" => "Switching Protocols"
|
98
|
-
"merci" => "thank you"
|
140
|
+
dictionary => {
|
141
|
+
"100" => "Continue"
|
142
|
+
"101" => "Switching Protocols"
|
143
|
+
"merci" => "thank you"
|
99
144
|
"old version" => "new version"
|
100
145
|
}
|
101
146
|
}
|
102
147
|
}
|
148
|
+
----
|
103
149
|
|
104
150
|
NOTE: It is an error to specify both `dictionary` and `dictionary_path`.
|
105
151
|
|
106
152
|
[id="plugins-{type}s-{plugin}-dictionary_path"]
|
107
|
-
===== `dictionary_path`
|
153
|
+
===== `dictionary_path`
|
108
154
|
|
109
155
|
* Value type is <<path,path>>
|
110
156
|
* There is no default value for this setting.
|
111
157
|
|
112
|
-
The full path of the external dictionary file. The format of the table
|
113
|
-
|
114
|
-
|
158
|
+
The full path of the external dictionary file. The format of the table should be
|
159
|
+
a standard YAML, JSON, or CSV.
|
160
|
+
|
161
|
+
Specify any integer-based keys in quotes. The value taken from the event's
|
162
|
+
`source` setting is converted to a string. The lookup dictionary keys must also
|
163
|
+
be strings, and the quotes make the integer-based keys function as a string.
|
164
|
+
For example, the YAML file should look something like this:
|
165
|
+
|
115
166
|
[source,ruby]
|
167
|
+
----
|
116
168
|
"100": Continue
|
117
169
|
"101": Switching Protocols
|
118
170
|
merci: gracias
|
119
171
|
old version: new version
|
172
|
+
----
|
120
173
|
|
121
|
-
NOTE:
|
174
|
+
NOTE: It is an error to specify both `dictionary` and `dictionary_path`.
|
122
175
|
|
123
176
|
The currently supported formats are YAML, JSON, and CSV. Format selection is
|
124
177
|
based on the file extension: `json` for JSON, `yaml` or `yml` for YAML, and
|
125
|
-
`csv` for CSV. The
|
126
|
-
|
127
|
-
|
178
|
+
`csv` for CSV. The CSV format expects exactly two columns, with the first serving
|
179
|
+
as the original text (lookup key), and the second column as the translation.
|
180
|
+
|
181
|
+
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
182
|
+
===== `ecs_compatibility`
|
183
|
+
|
184
|
+
* Value type is <<string,string>>
|
185
|
+
* Supported values are:
|
186
|
+
** `disabled`: disabled ECS-compatibility
|
187
|
+
** `v1`, `v8`: compatibility with the specified major version of the Elastic Common Schema
|
188
|
+
* Default value depends on which version of Logstash is running:
|
189
|
+
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
190
|
+
** Otherwise, the default value is `disabled`.
|
191
|
+
|
192
|
+
Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
|
193
|
+
The value of this setting affects the _default_ value of <<plugins-{type}s-{plugin}-target>>.
|
128
194
|
|
129
195
|
[id="plugins-{type}s-{plugin}-exact"]
|
130
|
-
===== `exact`
|
196
|
+
===== `exact`
|
131
197
|
|
132
198
|
* Value type is <<boolean,boolean>>
|
133
199
|
* Default value is `true`
|
@@ -139,7 +205,9 @@ destination field's data, with the translated value substituted in-place.
|
|
139
205
|
|
140
206
|
For example, consider this simple translation.yml, configured to check the `data` field:
|
141
207
|
[source,ruby]
|
208
|
+
----
|
142
209
|
foo: bar
|
210
|
+
----
|
143
211
|
|
144
212
|
If logstash receives an event with the `data` field set to `foo`, and `exact => true`,
|
145
213
|
the destination field will be populated with the string `bar`.
|
@@ -148,10 +216,10 @@ will be also set to `bar`. However, if logstash receives an event with the `data
|
|
148
216
|
set to `foofing`, the destination field will be set to `barfing`.
|
149
217
|
|
150
218
|
Set both `exact => true` AND `regex => `true` if you would like to match using dictionary
|
151
|
-
keys as regular expressions. A large dictionary could be expensive to match in this case.
|
219
|
+
keys as regular expressions. A large dictionary could be expensive to match in this case.
|
152
220
|
|
153
221
|
[id="plugins-{type}s-{plugin}-fallback"]
|
154
|
-
===== `fallback`
|
222
|
+
===== `fallback`
|
155
223
|
|
156
224
|
* Value type is <<string,string>>
|
157
225
|
* There is no default value for this setting.
|
@@ -161,7 +229,9 @@ translation string, which will always populate `field`, if the match failed.
|
|
161
229
|
|
162
230
|
For example, if we have configured `fallback => "no match"`, using this dictionary:
|
163
231
|
[source,ruby]
|
232
|
+
----
|
164
233
|
foo: bar
|
234
|
+
----
|
165
235
|
|
166
236
|
Then, if logstash received an event with the field `foo` set to `bar`, the destination
|
167
237
|
field would be set to `bar`. However, if logstash received an event with `foo` set to `nope`,
|
@@ -169,44 +239,151 @@ then the destination field would still be populated, but with the value of `no m
|
|
169
239
|
This configuration can be dynamic and include parts of the event using the `%{field}` syntax.
|
170
240
|
|
171
241
|
[id="plugins-{type}s-{plugin}-field"]
|
172
|
-
===== `field`
|
242
|
+
===== `field`
|
243
|
+
|
244
|
+
* Value type is <<string,string>>
|
245
|
+
* Deprecated alias for <<plugins-{type}s-{plugin}-source>> setting.
|
246
|
+
|
247
|
+
deprecated[3.3.0, Use <<plugins-{type}s-{plugin}-source>> instead. In 4.0 this setting will be removed.]
|
248
|
+
|
249
|
+
[id="plugins-{type}s-{plugin}-iterate_on"]
|
250
|
+
===== `iterate_on`
|
173
251
|
|
174
|
-
* This is a required setting.
|
175
252
|
* Value type is <<string,string>>
|
176
253
|
* There is no default value for this setting.
|
177
254
|
|
178
|
-
|
179
|
-
|
255
|
+
When the value that you need to perform enrichment on is a variable sized array
|
256
|
+
then specify the field name in this setting. This setting introduces two modes,
|
257
|
+
1) when the value is an array of strings and 2) when the value is an array of
|
258
|
+
objects (as in JSON object). +
|
259
|
+
In the first mode, you should have the same field name in both `source` and
|
260
|
+
`iterate_on`, the result will be an array added to the field specified in the
|
261
|
+
`target` setting. This array will have the looked up value (or the
|
262
|
+
`fallback` value or nil) in same ordinal position as each sought value. +
|
263
|
+
In the second mode, specify the field that has the array of objects in
|
264
|
+
`iterate_on` then specify the field in each object that provides the sought value
|
265
|
+
with `source` and the field to write the looked up value (or the `fallback` value)
|
266
|
+
to with `target`.
|
267
|
+
|
268
|
+
For a dictionary of:
|
269
|
+
[source,csv]
|
270
|
+
----
|
271
|
+
100,Yuki
|
272
|
+
101,Rupert
|
273
|
+
102,Ahmed
|
274
|
+
103,Kwame
|
275
|
+
----
|
276
|
+
|
277
|
+
Example of Mode 1
|
278
|
+
[source,ruby]
|
279
|
+
filter {
|
280
|
+
translate {
|
281
|
+
iterate_on => "[collaborator_ids]"
|
282
|
+
source => "[collaborator_ids]"
|
283
|
+
target => "[collaborator_names]"
|
284
|
+
fallback => "Unknown"
|
285
|
+
}
|
286
|
+
}
|
180
287
|
|
181
|
-
|
288
|
+
Before
|
289
|
+
[source,json]
|
290
|
+
{
|
291
|
+
"collaborator_ids": [100,103,110,102]
|
292
|
+
}
|
293
|
+
|
294
|
+
After
|
295
|
+
[source,json]
|
296
|
+
{
|
297
|
+
"collaborator_ids": [100,103,110,102],
|
298
|
+
"collabrator_names": ["Yuki","Kwame","Unknown","Ahmed"]
|
299
|
+
}
|
300
|
+
|
301
|
+
Example of Mode 2
|
302
|
+
[source,ruby]
|
303
|
+
filter {
|
304
|
+
translate {
|
305
|
+
iterate_on => "[collaborators]"
|
306
|
+
source => "[id]"
|
307
|
+
target => "[name]"
|
308
|
+
fallback => "Unknown"
|
309
|
+
}
|
310
|
+
}
|
311
|
+
|
312
|
+
Before
|
313
|
+
[source,json]
|
314
|
+
{
|
315
|
+
"collaborators": [
|
316
|
+
{
|
317
|
+
"id": 100
|
318
|
+
},
|
319
|
+
{
|
320
|
+
"id": 103
|
321
|
+
},
|
322
|
+
{
|
323
|
+
"id": 110
|
324
|
+
},
|
325
|
+
{
|
326
|
+
"id": 101
|
327
|
+
}
|
328
|
+
]
|
329
|
+
}
|
330
|
+
|
331
|
+
After
|
332
|
+
[source,json]
|
333
|
+
{
|
334
|
+
"collaborators": [
|
335
|
+
{
|
336
|
+
"id": 100,
|
337
|
+
"name": "Yuki"
|
338
|
+
},
|
339
|
+
{
|
340
|
+
"id": 103,
|
341
|
+
"name": "Kwame"
|
342
|
+
},
|
343
|
+
{
|
344
|
+
"id": 110,
|
345
|
+
"name": "Unknown"
|
346
|
+
},
|
347
|
+
{
|
348
|
+
"id": 101,
|
349
|
+
"name": "Rupert"
|
350
|
+
}
|
351
|
+
]
|
352
|
+
}
|
182
353
|
|
183
354
|
[id="plugins-{type}s-{plugin}-override"]
|
184
|
-
===== `override`
|
355
|
+
===== `override`
|
185
356
|
|
186
357
|
* Value type is <<boolean,boolean>>
|
187
|
-
* Default value is
|
358
|
+
* Default value depends on whether in-place translation is being used
|
359
|
+
|
360
|
+
If the destination (or target) field already exists, this configuration option controls
|
361
|
+
whether the filter skips translation (default behavior) or overwrites the target
|
362
|
+
field value with the new translation value.
|
188
363
|
|
189
|
-
|
190
|
-
|
191
|
-
value with the new translation value.
|
364
|
+
In case of in-place translation, where `target` is the same as `source` (such as when
|
365
|
+
<<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled), overwriting is allowed.
|
192
366
|
|
193
367
|
[id="plugins-{type}s-{plugin}-refresh_interval"]
|
194
|
-
===== `refresh_interval`
|
368
|
+
===== `refresh_interval`
|
195
369
|
|
196
370
|
* Value type is <<number,number>>
|
197
371
|
* Default value is `300`
|
198
372
|
|
199
373
|
When using a dictionary file, this setting will indicate how frequently
|
200
|
-
(in seconds) logstash will check the dictionary file for updates.
|
374
|
+
(in seconds) logstash will check the dictionary file for updates. +
|
375
|
+
A value of zero or less will disable refresh.
|
201
376
|
|
202
377
|
[id="plugins-{type}s-{plugin}-regex"]
|
203
|
-
===== `regex`
|
378
|
+
===== `regex`
|
204
379
|
|
205
380
|
* Value type is <<boolean,boolean>>
|
206
381
|
* Default value is `false`
|
207
382
|
|
208
|
-
|
209
|
-
|
383
|
+
To treat dictionary keys as regular expressions, set `regex => true`.
|
384
|
+
|
385
|
+
Be sure to escape dictionary key strings for use with regex.
|
386
|
+
Resources on regex formatting are available online.
|
210
387
|
|
211
388
|
[id="plugins-{type}s-{plugin}-refresh_behaviour"]
|
212
389
|
===== `refresh_behaviour`
|
@@ -215,10 +392,34 @@ Note: this is activated only when `exact => true`.
|
|
215
392
|
* Default value is `merge`
|
216
393
|
|
217
394
|
When using a dictionary file, this setting indicates how the update will be executed.
|
218
|
-
Setting this to `merge`
|
219
|
-
|
395
|
+
Setting this to `merge` causes the new dictionary to be merged into the old one. This means
|
396
|
+
same entry will be updated but entries that existed before but not in the new dictionary
|
397
|
+
will remain after the merge; `replace` causes the whole dictionary to be replaced
|
398
|
+
with a new one (deleting all entries of the old one on update).
|
399
|
+
|
400
|
+
[id="plugins-{type}s-{plugin}-source"]
|
401
|
+
===== `source`
|
402
|
+
|
403
|
+
* This is a required setting.
|
404
|
+
* Value type is <<string,string>>
|
405
|
+
* There is no default value for this setting.
|
220
406
|
|
407
|
+
The name of the logstash event field containing the value to be compared for a
|
408
|
+
match by the translate filter (e.g. `message`, `host`, `response_code`).
|
409
|
+
|
410
|
+
If this field is an array, only the first value will be used.
|
411
|
+
|
412
|
+
[id="plugins-{type}s-{plugin}-target"]
|
413
|
+
===== `target`
|
414
|
+
|
415
|
+
* Value type is <<string,string>>
|
416
|
+
* Default value depends on whether <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled:
|
417
|
+
** ECS Compatibility disabled: `"translation"`
|
418
|
+
** ECS Compatibility enabled: defaults to the same value as `source`
|
221
419
|
|
420
|
+
The target field you wish to populate with the translated code.
|
421
|
+
If you set this value to the same value as `source` field, the plugin does a substitution, and
|
422
|
+
the filter will succeed. This will clobber the old value of the source field!
|
222
423
|
|
223
424
|
[id="plugins-{type}s-{plugin}-common-options"]
|
224
425
|
include::{include_path}/{type}.asciidoc[]
|