logstash-filter-translate 3.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e4b8c724a742d47aa89a6237e127be569f2675a19c5752e719918bff8489c77
-  data.tar.gz: 406d7e0417251e10d1142d19027af9557f9a0993782bb16780bcdc86c943bd5e
+  metadata.gz: bda33e0807c4df1f6a144e456c86e59c538c7138d3d27c61c688a892dcc424df
+  data.tar.gz: 93724eb15e55f3e54e0ebf321189c4e4110031ff5656dc673cdac21b6e66f837
 SHA512:
-  metadata.gz: e25757bc66a2b1afa15318161c6a8182f5258e9a8f395c870e0826224f6111bfa607950e678058a423aecb733f9f23edbbaed7778067f239269786afc76341d9
-  data.tar.gz: c84f492fad3418db7e18333658691fe5a8109c6dfc15589e88415198d348cce4fa05d4b966762072387441dec06210d6c7bf5fcc92fe5bec94ffe1b5026eba9d
+  metadata.gz: 7f1cfc504590cd22466348a677184221674198e9aa066c314630766b8a16e744a744220447586593c3e42dcee4b88736509d052d7513cdbf19ae1aca35a44924
+  data.tar.gz: d3b2da31ff46f55d6459ea32a1e1fd015f90f4618663c35b1d142e612937244bc101d0dfa96f039ca947ee5d716b87999ad682fdd6a7873fdf09ed5a6829dbd9

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 3.2.0
+  - Add `iterate_on` setting to support fields that are arrays, see the docs
+  for detailed explanation.
+  [#66](https://github.com/logstash-plugins/logstash-filter-translate/issues/66)
+  - Add Rufus::Scheduler to provide asynchronous loading of dictionary.
+  [#65](https://github.com/logstash-plugins/logstash-filter-translate/issues/65)
+  - Re-organise code, yields performance improvement of around 360%
+
 ## 3.1.0
   - Add 'refresh_behaviour' to either 'merge' or 'replace' during a refresh #57
 

data/docs/index.asciidoc

@@ -21,8 +21,8 @@ include::{include_path}/plugin_header.asciidoc[]
 ==== Description
 
 A general search and replace tool that uses a configured hash
-and/or a file to determine replacement values. Currently supported are 
-YAML, JSON, and CSV files.
+and/or a file to determine replacement values. Currently supported are
+YAML, JSON, and CSV files. Each dictionary item is a key value pair.
 
 The dictionary entries can be specified in one of two ways: First,
 the `dictionary` configuration item may contain a hash representing
@@ -30,19 +30,53 @@ the mapping. Second, an external file (readable by logstash) may be specified
 in the `dictionary_path` configuration item. These two methods may not be used
 in conjunction; it will produce an error.
 
-Operationally, if the event field specified in the `field` configuration
-matches the EXACT contents of a dictionary entry key (or matches a regex if
-`regex` configuration item has been enabled), the field's value will be substituted
-with the matched key's value from the dictionary.
+Operationally, for each event, the value from the `field` setting is tested
+against the dictionary and if it matches exactly (or matches a regex when
+`regex` configuration item has been enabled), the matched value is put in
+the `destination` field, but on no match the `fallback` setting string is
+used instead.
 
-By default, the translate filter will replace the contents of the 
-maching event field (in-place). However, by using the `destination`
-configuration item, you may also specify a target event field to
-populate with the new translated value.
+Example:
+```
+[source,ruby]
+    filter {
+      translate {
+        field => "[http_status]"
+        destination => "[http_status_description]"
+        dictionary => {
+          "100" => "Continue"
+          "101" => "Switching Protocols"
+          "200" => "OK"
+          "500" => "Server Error"
+        }
+        fallback => "I'm a teapot"
+      }
+    }
+```
+
+Occasionally, people find that they have a field with a variable sized array of
+values or objects that need some enrichment. The `iterate_on` setting helps in
+these cases.
 
 Alternatively, for simple string search and replacements for just a few values
 you might consider using the gsub function of the mutate filter.
 
+It is possible to provide multi-valued dictionary values. When using a YAML or
+JSON dictionary, you can have the value as a hash (map) or an array datatype.
+When using a CSV dictionary, multiple values in the translation must be
+extracted with another filter e.g. Dissect or KV. +
+Note that the `fallback` is a string so on no match the fallback setting needs
+to formatted so that a filter can extract the multiple values to the correct fields.
+
+File based dictionaries are loaded in a separate thread using a scheduler.
+If you set a `refresh_interval` of 300 seconds (5 minutes) or less then the
+modified time of the file is checked before reloading. Very large dictionaries
+are supported, internally tested at 100 000 key/values, and we minimise
+the impact on throughput by having the refresh in the scheduler thread.
+Any ongoing modification of the dictionary file should be done using a
+copy/edit/rename or create/rename mechanism to avoid the refresh code from
+processing half-baked dictionary content.
+
 [id="plugins-{type}s-{plugin}-options"]
 ==== Translate Filter Configuration Options
 
@@ -57,6 +91,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-exact>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-fallback>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-field>> |<<string,string>>|Yes
+| <<plugins-{type}s-{plugin}-iterate_on>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-override>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-refresh_interval>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-regex>> |<<boolean,boolean>>|No
@@ -69,7 +104,7 @@ filter plugins.
 &nbsp;
 
 [id="plugins-{type}s-{plugin}-destination"]
-===== `destination` 
+===== `destination`
 
   * Value type is <<string,string>>
   * Default value is `"translation"`
@@ -77,10 +112,10 @@ filter plugins.
 The destination field you wish to populate with the translated code. The default
 is a field named `translation`. Set this to the same value as source if you want
 to do a substitution, in this case filter will allways succeed. This will clobber
-the old value of the source field! 
+the old value of the source field!
 
 [id="plugins-{type}s-{plugin}-dictionary"]
-===== `dictionary` 
+===== `dictionary`
 
   * Value type is <<hash,hash>>
   * Default value is `{}`
@@ -92,10 +127,10 @@ Example:
 [source,ruby]
     filter {
       translate {
-        dictionary => { 
-          "100"         => "Continue",
-          "101"         => "Switching Protocols",
-          "merci"       => "thank you",
+        dictionary => {
+          "100"         => "Continue"
+          "101"         => "Switching Protocols"
+          "merci"       => "thank you"
           "old version" => "new version"
         }
       }
@@ -104,7 +139,7 @@ Example:
 NOTE: It is an error to specify both `dictionary` and `dictionary_path`.
 
 [id="plugins-{type}s-{plugin}-dictionary_path"]
-===== `dictionary_path` 
+===== `dictionary_path`
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -122,12 +157,11 @@ NOTE: it is an error to specify both `dictionary` and `dictionary_path`.
 
 The currently supported formats are YAML, JSON, and CSV. Format selection is
 based on the file extension: `json` for JSON, `yaml` or `yml` for YAML, and
-`csv` for CSV. The JSON format only supports simple key/value, unnested
-objects. The CSV format expects exactly two columns, with the first serving
-as the original text, and the second column as the replacement.
+`csv` for CSV. The CSV format expects exactly two columns, with the first serving
+as the original text (lookup key), and the second column as the translation.
 
 [id="plugins-{type}s-{plugin}-exact"]
-===== `exact` 
+===== `exact`
 
   * Value type is <<boolean,boolean>>
   * Default value is `true`
@@ -148,10 +182,10 @@ will be also set to `bar`. However, if logstash receives an event with the `data
 set to `foofing`, the destination field will be set to `barfing`.
 
 Set both `exact => true` AND `regex => `true` if you would like to match using dictionary
-keys as regular expressions. A large dictionary could be expensive to match in this case. 
+keys as regular expressions. A large dictionary could be expensive to match in this case.
 
 [id="plugins-{type}s-{plugin}-fallback"]
-===== `fallback` 
+===== `fallback`
 
   * Value type is <<string,string>>
   * There is no default value for this setting.
@@ -169,19 +203,122 @@ then the destination field would still be populated, but with the value of `no m
 This configuration can be dynamic and include parts of the event using the `%{field}` syntax.
 
 [id="plugins-{type}s-{plugin}-field"]
-===== `field` 
+===== `field`
 
   * This is a required setting.
   * Value type is <<string,string>>
   * There is no default value for this setting.
 
 The name of the logstash event field containing the value to be compared for a
-match by the translate filter (e.g. `message`, `host`, `response_code`). 
+match by the translate filter (e.g. `message`, `host`, `response_code`).
 
 If this field is an array, only the first value will be used.
 
+[id="plugins-{type}s-{plugin}-iterate_on"]
+===== `iterate_on`
+
+  * Value type is <<string,string>>
+  * There is no default value for this setting.
+
+When the value that you need to perform enrichment on is a variable sized array
+then specify the field name in this setting. This setting introduces two modes,
+1) when the value is an array of strings and 2) when the value is an array of
+objects (as in JSON object). +
+In the first mode, you should have the same field name in both `field` and
+`iterate_on`, the result will be an array added to the field specified in the
+`destination` setting. This array will have the looked up value (or the
+`fallback` value or nil) in same ordinal position as each sought value. +
+In the second mode, specify the field that has the array of objects in
+`iterate_on` then specify the field in each object that provides the sought value
+with `field` and the field to write the looked up value (or the `fallback` value)
+to with `destination`.
+
+For a dictionary of:
+[source,csv]
+  100,Yuki
+  101,Rupert
+  102,Ahmed
+  103,Kwame
+
+Example of Mode 1
+[source,ruby]
+    filter {
+      translate {
+        iterate_on => "[collaborator_ids]"
+        field      => "[collaborator_ids]"
+        destination => "[collaborator_names]"
+        fallback => "Unknown"
+      }
+    }
+
+Before
+[source,json]
+  {
+    "collaborator_ids": [100,103,110,102]
+  }
+
+After
+[source,json]
+  {
+    "collaborator_ids": [100,103,110,102],
+    "collabrator_names": ["Yuki","Kwame","Unknown","Ahmed"]
+  }
+
+Example of Mode 2
+[source,ruby]
+    filter {
+      translate {
+        iterate_on => "[collaborators]"
+        field      => "[id]"
+        destination => "[name]"
+        fallback => "Unknown"
+      }
+    }
+
+Before
+[source,json]
+  {
+    "collaborators": [
+      {
+        "id": 100
+      },
+      {
+        "id": 103
+      },
+      {
+        "id": 110
+      },
+      {
+        "id": 101
+      }
+    ]
+  }
+
+After
+[source,json]
+  {
+    "collaborators": [
+      {
+        "id": 100,
+        "name": "Yuki"
+      },
+      {
+        "id": 103,
+        "name": "Kwame"
+      },
+      {
+        "id": 110,
+        "name": "Unknown"
+      },
+      {
+        "id": 101,
+        "name": "Rupert"
+      }
+    ]
+  }
+
 [id="plugins-{type}s-{plugin}-override"]
-===== `override` 
+===== `override`
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
@@ -191,21 +328,22 @@ whether the filter should skip translation (default) or overwrite the target fie
 value with the new translation value.
 
 [id="plugins-{type}s-{plugin}-refresh_interval"]
-===== `refresh_interval` 
+===== `refresh_interval`
 
   * Value type is <<number,number>>
   * Default value is `300`
 
 When using a dictionary file, this setting will indicate how frequently
-(in seconds) logstash will check the dictionary file for updates.
+(in seconds) logstash will check the dictionary file for updates. +
+A value of zero or less will disable refresh.
 
 [id="plugins-{type}s-{plugin}-regex"]
-===== `regex` 
+===== `regex`
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
 
-If you'd like to treat dictionary keys as regular expressions, set `exact => true`.
+If you'd like to treat dictionary keys as regular expressions, set `regex => true`.
 Note: this is activated only when `exact => true`.
 
 [id="plugins-{type}s-{plugin}-refresh_behaviour"]
@@ -215,8 +353,10 @@ Note: this is activated only when `exact => true`.
   * Default value is `merge`
 
 When using a dictionary file, this setting indicates how the update will be executed.
-Setting this to `merge` leads to entries removed from the dictionary file being kept;
-`replace` deletes old entries on update.
+Setting this to `merge` causes the new dictionary to be merged into the old one. This means
+same entry will be updated but entries that existed before but not in the new dictionary
+will remain after the merge; `replace` causes the whole dictionary to be replaced
+with a new one (deleting all entries of the old one on update).
 
 
 

data/lib/logstash/filters/array_of_maps_value_update.rb

@@ -0,0 +1,44 @@
+# encoding: utf-8
+
+module LogStash module Filters
+  class ArrayOfMapsValueUpdate
+    def initialize(iterate_on, field, destination, fallback, lookup)
+      @iterate_on = ensure_reference_format(iterate_on)
+      @field = ensure_reference_format(field)
+      @destination = ensure_reference_format(destination)
+      @fallback = fallback
+      @use_fallback = !fallback.nil? # fallback is not nil, the user set a value in the config
+      @lookup = lookup
+    end
+
+    def test_for_inclusion(event, override)
+      event.include?(@iterate_on)
+    end
+
+    def update(event)
+      val = event.get(@iterate_on) # should be an array of hashes
+      source = Array(val)
+      matches = Array.new(source.size)
+      source.size.times do |index|
+        nested_field = "#{@iterate_on}[#{index}]#{@field}"
+        nested_destination = "#{@iterate_on}[#{index}]#{@destination}"
+        inner = event.get(nested_field)
+        next if inner.nil?
+        matched = [true, nil]
+        @lookup.fetch_strategy.fetch(inner, matched)
+        if matched.first
+          event.set(nested_destination, matched.last)
+          matches[index] = true
+        elsif @use_fallback
+          event.set(nested_destination, event.sprintf(@fallback))
+          matches[index] = true
+        end
+      end
+      return matches.any?
+    end
+
+    def ensure_reference_format(field)
+      field.start_with?("[") && field.end_with?("]") ? field : "[#{field}]"
+    end
+  end
+end end

data/lib/logstash/filters/array_of_values_update.rb

@@ -0,0 +1,37 @@
+# encoding: utf-8
+
+module LogStash module Filters
+  class ArrayOfValuesUpdate
+    def initialize(iterate_on, destination, fallback, lookup)
+      @iterate_on = iterate_on
+      @destination = destination
+      @fallback = fallback
+      @use_fallback = !fallback.nil? # fallback is not nil, the user set a value in the config
+      @lookup = lookup
+    end
+
+    def test_for_inclusion(event, override)
+      # Skip translation in case @destination iterate_on already exists and @override is disabled.
+      return false if event.include?(@destination) && !override
+      event.include?(@iterate_on)
+    end
+
+    def update(event)
+      val = event.get(@iterate_on)
+      source = Array(val)
+      target = Array.new(source.size)
+      if @use_fallback
+        target.fill(event.sprintf(@fallback))
+      end
+      source.each_with_index do |inner, index|
+        matched = [true, nil]
+        @lookup.fetch_strategy.fetch(inner, matched)
+        if matched.first
+          target[index] = matched.last
+        end
+      end
+      event.set(@destination, target)
+      return target.any?
+    end
+  end
+end end

data/lib/logstash/filters/dictionary/csv_file.rb

@@ -0,0 +1,25 @@
+# encoding: utf-8
+require "csv"
+
+module LogStash module Filters module Dictionary
+  class CsvFile < File
+
+    protected
+
+    def initialize_for_file_type
+      @io = StringIO.new("")
+      @csv = CSV.new(@io)
+    end
+
+    def read_file_into_dictionary
+      # low level CSV read that tries to create as
+      # few intermediate objects as possible
+      # this overwrites the value at key
+      IO.foreach(@dictionary_path, :mode => 'r:bom|utf-8') do |line|
+        @io.string = line
+        k,v = @csv.shift
+        @dictionary[k] = v
+      end
+    end
+  end
+end end end