RubyGems - logstash-lib - Versions diffs - 1.3.2 - Mend

logstash-lib 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (419) hide show

data/.gitignore +24 -0
data/.tailor +8 -0
data/.travis.yml +12 -0
data/CHANGELOG +1185 -0
data/CONTRIBUTING.md +61 -0
data/CONTRIBUTORS +79 -0
data/LICENSE +14 -0
data/Makefile +460 -0
data/README.md +120 -0
data/STYLE.md +96 -0
data/bin/logstash +37 -0
data/bin/logstash-test +4 -0
data/bin/logstash-web +4 -0
data/bin/logstash.lib.sh +78 -0
data/bot/check_pull_changelog.rb +89 -0
data/docs/configuration.md +260 -0
data/docs/docgen.rb +242 -0
data/docs/extending/example-add-a-new-filter.md +121 -0
data/docs/extending/index.md +91 -0
data/docs/flags.md +43 -0
data/docs/generate_index.rb +28 -0
data/docs/index.html.erb +56 -0
data/docs/learn.md +46 -0
data/docs/life-of-an-event.md +109 -0
data/docs/logging-tool-comparisons.md +60 -0
data/docs/plugin-doc.html.erb +91 -0
data/docs/plugin-milestones.md +41 -0
data/docs/plugin-synopsis.html.erb +24 -0
data/docs/release-engineering.md +46 -0
data/docs/release-test-results.md +14 -0
data/docs/repositories.md +35 -0
data/docs/tutorials/10-minute-walkthrough/apache-elasticsearch.conf +35 -0
data/docs/tutorials/10-minute-walkthrough/apache-parse.conf +33 -0
data/docs/tutorials/10-minute-walkthrough/apache_log.1 +1 -0
data/docs/tutorials/10-minute-walkthrough/apache_log.2.bz2 +0 -0
data/docs/tutorials/10-minute-walkthrough/hello-search.conf +25 -0
data/docs/tutorials/10-minute-walkthrough/hello.conf +16 -0
data/docs/tutorials/10-minute-walkthrough/index.md +124 -0
data/docs/tutorials/10-minute-walkthrough/step-5-output.txt +17 -0
data/docs/tutorials/getting-started-centralized-overview-diagram.png +0 -0
data/docs/tutorials/getting-started-centralized-overview-diagram.xml +1 -0
data/docs/tutorials/getting-started-centralized.md +217 -0
data/docs/tutorials/getting-started-simple.md +200 -0
data/docs/tutorials/just-enough-rabbitmq-for-logstash.md +201 -0
data/docs/tutorials/media/frontend-response-codes.png +0 -0
data/docs/tutorials/metrics-from-logs.md +84 -0
data/docs/tutorials/zeromq.md +118 -0
data/extract_services.rb +29 -0
data/gembag.rb +64 -0
data/lib/logstash-event.rb +2 -0
data/lib/logstash.rb +4 -0
data/lib/logstash/JRUBY-6970-openssl.rb +22 -0
data/lib/logstash/JRUBY-6970.rb +102 -0
data/lib/logstash/agent.rb +305 -0
data/lib/logstash/certs/cacert.pem +3895 -0
data/lib/logstash/codecs/base.rb +49 -0
data/lib/logstash/codecs/compress_spooler.rb +50 -0
data/lib/logstash/codecs/dots.rb +18 -0
data/lib/logstash/codecs/edn.rb +28 -0
data/lib/logstash/codecs/edn_lines.rb +36 -0
data/lib/logstash/codecs/fluent.rb +55 -0
data/lib/logstash/codecs/graphite.rb +114 -0
data/lib/logstash/codecs/json.rb +41 -0
data/lib/logstash/codecs/json_lines.rb +52 -0
data/lib/logstash/codecs/json_spooler.rb +22 -0
data/lib/logstash/codecs/line.rb +58 -0
data/lib/logstash/codecs/msgpack.rb +43 -0
data/lib/logstash/codecs/multiline.rb +189 -0
data/lib/logstash/codecs/netflow.rb +342 -0
data/lib/logstash/codecs/netflow/util.rb +212 -0
data/lib/logstash/codecs/noop.rb +19 -0
data/lib/logstash/codecs/oldlogstashjson.rb +56 -0
data/lib/logstash/codecs/plain.rb +48 -0
data/lib/logstash/codecs/rubydebug.rb +22 -0
data/lib/logstash/codecs/spool.rb +38 -0
data/lib/logstash/config/Makefile +4 -0
data/lib/logstash/config/config_ast.rb +380 -0
data/lib/logstash/config/file.rb +39 -0
data/lib/logstash/config/grammar.rb +3504 -0
data/lib/logstash/config/grammar.treetop +241 -0
data/lib/logstash/config/mixin.rb +464 -0
data/lib/logstash/config/registry.rb +13 -0
data/lib/logstash/config/test.conf +18 -0
data/lib/logstash/errors.rb +10 -0
data/lib/logstash/event.rb +262 -0
data/lib/logstash/filters/advisor.rb +178 -0
data/lib/logstash/filters/alter.rb +173 -0
data/lib/logstash/filters/anonymize.rb +93 -0
data/lib/logstash/filters/base.rb +190 -0
data/lib/logstash/filters/checksum.rb +50 -0
data/lib/logstash/filters/cidr.rb +76 -0
data/lib/logstash/filters/cipher.rb +145 -0
data/lib/logstash/filters/clone.rb +35 -0
data/lib/logstash/filters/collate.rb +114 -0
data/lib/logstash/filters/csv.rb +94 -0
data/lib/logstash/filters/date.rb +244 -0
data/lib/logstash/filters/dns.rb +201 -0
data/lib/logstash/filters/drop.rb +32 -0
data/lib/logstash/filters/elapsed.rb +256 -0
data/lib/logstash/filters/elasticsearch.rb +73 -0
data/lib/logstash/filters/environment.rb +27 -0
data/lib/logstash/filters/extractnumbers.rb +84 -0
data/lib/logstash/filters/gelfify.rb +52 -0
data/lib/logstash/filters/geoip.rb +145 -0
data/lib/logstash/filters/grep.rb +153 -0
data/lib/logstash/filters/grok.rb +425 -0
data/lib/logstash/filters/grokdiscovery.rb +75 -0
data/lib/logstash/filters/i18n.rb +51 -0
data/lib/logstash/filters/json.rb +90 -0
data/lib/logstash/filters/json_encode.rb +52 -0
data/lib/logstash/filters/kv.rb +232 -0
data/lib/logstash/filters/metaevent.rb +68 -0
data/lib/logstash/filters/metrics.rb +237 -0
data/lib/logstash/filters/multiline.rb +241 -0
data/lib/logstash/filters/mutate.rb +399 -0
data/lib/logstash/filters/noop.rb +21 -0
data/lib/logstash/filters/prune.rb +149 -0
data/lib/logstash/filters/punct.rb +32 -0
data/lib/logstash/filters/railsparallelrequest.rb +86 -0
data/lib/logstash/filters/range.rb +142 -0
data/lib/logstash/filters/ruby.rb +42 -0
data/lib/logstash/filters/sleep.rb +111 -0
data/lib/logstash/filters/split.rb +64 -0
data/lib/logstash/filters/sumnumbers.rb +73 -0
data/lib/logstash/filters/syslog_pri.rb +107 -0
data/lib/logstash/filters/translate.rb +121 -0
data/lib/logstash/filters/unique.rb +29 -0
data/lib/logstash/filters/urldecode.rb +57 -0
data/lib/logstash/filters/useragent.rb +112 -0
data/lib/logstash/filters/uuid.rb +58 -0
data/lib/logstash/filters/xml.rb +139 -0
data/lib/logstash/filters/zeromq.rb +123 -0
data/lib/logstash/filterworker.rb +122 -0
data/lib/logstash/inputs/base.rb +125 -0
data/lib/logstash/inputs/collectd.rb +306 -0
data/lib/logstash/inputs/drupal_dblog.rb +323 -0
data/lib/logstash/inputs/drupal_dblog/jdbcconnection.rb +66 -0
data/lib/logstash/inputs/elasticsearch.rb +140 -0
data/lib/logstash/inputs/eventlog.rb +129 -0
data/lib/logstash/inputs/eventlog/racob_fix.rb +44 -0
data/lib/logstash/inputs/exec.rb +69 -0
data/lib/logstash/inputs/file.rb +146 -0
data/lib/logstash/inputs/ganglia.rb +127 -0
data/lib/logstash/inputs/ganglia/gmondpacket.rb +146 -0
data/lib/logstash/inputs/ganglia/xdr.rb +327 -0
data/lib/logstash/inputs/gelf.rb +138 -0
data/lib/logstash/inputs/gemfire.rb +222 -0
data/lib/logstash/inputs/generator.rb +97 -0
data/lib/logstash/inputs/graphite.rb +41 -0
data/lib/logstash/inputs/heroku.rb +51 -0
data/lib/logstash/inputs/imap.rb +136 -0
data/lib/logstash/inputs/irc.rb +84 -0
data/lib/logstash/inputs/log4j.rb +136 -0
data/lib/logstash/inputs/lumberjack.rb +53 -0
data/lib/logstash/inputs/pipe.rb +57 -0
data/lib/logstash/inputs/rabbitmq.rb +126 -0
data/lib/logstash/inputs/rabbitmq/bunny.rb +118 -0
data/lib/logstash/inputs/rabbitmq/hot_bunnies.rb +1 -0
data/lib/logstash/inputs/rabbitmq/march_hare.rb +129 -0
data/lib/logstash/inputs/redis.rb +263 -0
data/lib/logstash/inputs/relp.rb +106 -0
data/lib/logstash/inputs/s3.rb +279 -0
data/lib/logstash/inputs/snmptrap.rb +87 -0
data/lib/logstash/inputs/sqlite.rb +185 -0
data/lib/logstash/inputs/sqs.rb +172 -0
data/lib/logstash/inputs/stdin.rb +46 -0
data/lib/logstash/inputs/stomp.rb +84 -0
data/lib/logstash/inputs/syslog.rb +237 -0
data/lib/logstash/inputs/tcp.rb +231 -0
data/lib/logstash/inputs/threadable.rb +18 -0
data/lib/logstash/inputs/twitter.rb +82 -0
data/lib/logstash/inputs/udp.rb +81 -0
data/lib/logstash/inputs/unix.rb +163 -0
data/lib/logstash/inputs/varnishlog.rb +48 -0
data/lib/logstash/inputs/websocket.rb +50 -0
data/lib/logstash/inputs/wmi.rb +72 -0
data/lib/logstash/inputs/xmpp.rb +81 -0
data/lib/logstash/inputs/zenoss.rb +143 -0
data/lib/logstash/inputs/zeromq.rb +165 -0
data/lib/logstash/kibana.rb +113 -0
data/lib/logstash/loadlibs.rb +9 -0
data/lib/logstash/logging.rb +89 -0
data/lib/logstash/monkeypatches-for-bugs.rb +2 -0
data/lib/logstash/monkeypatches-for-debugging.rb +47 -0
data/lib/logstash/monkeypatches-for-performance.rb +66 -0
data/lib/logstash/multiqueue.rb +53 -0
data/lib/logstash/namespace.rb +16 -0
data/lib/logstash/outputs/base.rb +120 -0
data/lib/logstash/outputs/boundary.rb +116 -0
data/lib/logstash/outputs/circonus.rb +78 -0
data/lib/logstash/outputs/cloudwatch.rb +351 -0
data/lib/logstash/outputs/csv.rb +55 -0
data/lib/logstash/outputs/datadog.rb +93 -0
data/lib/logstash/outputs/datadog_metrics.rb +123 -0
data/lib/logstash/outputs/elasticsearch.rb +332 -0
data/lib/logstash/outputs/elasticsearch/elasticsearch-template.json +44 -0
data/lib/logstash/outputs/elasticsearch_http.rb +256 -0
data/lib/logstash/outputs/elasticsearch_river.rb +214 -0
data/lib/logstash/outputs/email.rb +299 -0
data/lib/logstash/outputs/exec.rb +40 -0
data/lib/logstash/outputs/file.rb +180 -0
data/lib/logstash/outputs/ganglia.rb +75 -0
data/lib/logstash/outputs/gelf.rb +208 -0
data/lib/logstash/outputs/gemfire.rb +103 -0
data/lib/logstash/outputs/google_bigquery.rb +570 -0
data/lib/logstash/outputs/google_cloud_storage.rb +431 -0
data/lib/logstash/outputs/graphite.rb +143 -0
data/lib/logstash/outputs/graphtastic.rb +185 -0
data/lib/logstash/outputs/hipchat.rb +80 -0
data/lib/logstash/outputs/http.rb +142 -0
data/lib/logstash/outputs/irc.rb +80 -0
data/lib/logstash/outputs/jira.rb +109 -0
data/lib/logstash/outputs/juggernaut.rb +105 -0
data/lib/logstash/outputs/librato.rb +146 -0
data/lib/logstash/outputs/loggly.rb +93 -0
data/lib/logstash/outputs/lumberjack.rb +51 -0
data/lib/logstash/outputs/metriccatcher.rb +103 -0
data/lib/logstash/outputs/mongodb.rb +81 -0
data/lib/logstash/outputs/nagios.rb +119 -0
data/lib/logstash/outputs/nagios_nsca.rb +123 -0
data/lib/logstash/outputs/null.rb +18 -0
data/lib/logstash/outputs/opentsdb.rb +101 -0
data/lib/logstash/outputs/pagerduty.rb +79 -0
data/lib/logstash/outputs/pipe.rb +132 -0
data/lib/logstash/outputs/rabbitmq.rb +96 -0
data/lib/logstash/outputs/rabbitmq/bunny.rb +135 -0
data/lib/logstash/outputs/rabbitmq/hot_bunnies.rb +1 -0
data/lib/logstash/outputs/rabbitmq/march_hare.rb +143 -0
data/lib/logstash/outputs/redis.rb +245 -0
data/lib/logstash/outputs/riak.rb +152 -0
data/lib/logstash/outputs/riemann.rb +109 -0
data/lib/logstash/outputs/s3.rb +356 -0
data/lib/logstash/outputs/sns.rb +124 -0
data/lib/logstash/outputs/solr_http.rb +78 -0
data/lib/logstash/outputs/sqs.rb +141 -0
data/lib/logstash/outputs/statsd.rb +116 -0
data/lib/logstash/outputs/stdout.rb +53 -0
data/lib/logstash/outputs/stomp.rb +67 -0
data/lib/logstash/outputs/syslog.rb +145 -0
data/lib/logstash/outputs/tcp.rb +145 -0
data/lib/logstash/outputs/udp.rb +38 -0
data/lib/logstash/outputs/websocket.rb +46 -0
data/lib/logstash/outputs/websocket/app.rb +29 -0
data/lib/logstash/outputs/websocket/pubsub.rb +45 -0
data/lib/logstash/outputs/xmpp.rb +78 -0
data/lib/logstash/outputs/zabbix.rb +108 -0
data/lib/logstash/outputs/zeromq.rb +125 -0
data/lib/logstash/pipeline.rb +286 -0
data/lib/logstash/plugin.rb +150 -0
data/lib/logstash/plugin_mixins/aws_config.rb +93 -0
data/lib/logstash/program.rb +15 -0
data/lib/logstash/runner.rb +238 -0
data/lib/logstash/sized_queue.rb +8 -0
data/lib/logstash/test.rb +183 -0
data/lib/logstash/threadwatchdog.rb +37 -0
data/lib/logstash/time_addon.rb +33 -0
data/lib/logstash/util.rb +106 -0
data/lib/logstash/util/buftok.rb +139 -0
data/lib/logstash/util/charset.rb +39 -0
data/lib/logstash/util/fieldreference.rb +50 -0
data/lib/logstash/util/password.rb +25 -0
data/lib/logstash/util/prctl.rb +11 -0
data/lib/logstash/util/relp.rb +326 -0
data/lib/logstash/util/require-helper.rb +18 -0
data/lib/logstash/util/socket_peer.rb +7 -0
data/lib/logstash/util/zenoss.rb +566 -0
data/lib/logstash/util/zeromq.rb +47 -0
data/lib/logstash/version.rb +6 -0
data/locales/en.yml +170 -0
data/logstash-event.gemspec +29 -0
data/logstash.gemspec +128 -0
data/patterns/firewalls +60 -0
data/patterns/grok-patterns +91 -0
data/patterns/haproxy +37 -0
data/patterns/java +3 -0
data/patterns/linux-syslog +14 -0
data/patterns/mcollective +1 -0
data/patterns/mcollective-patterns +4 -0
data/patterns/nagios +108 -0
data/patterns/postgresql +3 -0
data/patterns/redis +3 -0
data/patterns/ruby +2 -0
data/pkg/build.sh +135 -0
data/pkg/centos/after-install.sh +1 -0
data/pkg/centos/before-install.sh +10 -0
data/pkg/centos/before-remove.sh +11 -0
data/pkg/centos/sysconfig +15 -0
data/pkg/debian/after-install.sh +5 -0
data/pkg/debian/before-install.sh +13 -0
data/pkg/debian/before-remove.sh +13 -0
data/pkg/debian/build.sh +34 -0
data/pkg/debian/debian/README +6 -0
data/pkg/debian/debian/changelog +17 -0
data/pkg/debian/debian/compat +1 -0
data/pkg/debian/debian/control +16 -0
data/pkg/debian/debian/copyright +27 -0
data/pkg/debian/debian/dirs +19 -0
data/pkg/debian/debian/docs +0 -0
data/pkg/debian/debian/logstash.default +39 -0
data/pkg/debian/debian/logstash.init +201 -0
data/pkg/debian/debian/logstash.install +1 -0
data/pkg/debian/debian/logstash.logrotate +9 -0
data/pkg/debian/debian/logstash.postinst +68 -0
data/pkg/debian/debian/logstash.postrm +23 -0
data/pkg/debian/debian/manpage.1.ex +59 -0
data/pkg/debian/debian/preinst.ex +37 -0
data/pkg/debian/debian/prerm.ex +40 -0
data/pkg/debian/debian/release.conf +5 -0
data/pkg/debian/debian/rules +80 -0
data/pkg/debian/debian/watch.ex +22 -0
data/pkg/logrotate.conf +8 -0
data/pkg/logstash-web.default +41 -0
data/pkg/logstash-web.sysv.debian +201 -0
data/pkg/logstash-web.upstart.ubuntu +18 -0
data/pkg/logstash.default +45 -0
data/pkg/logstash.sysv.debian +202 -0
data/pkg/logstash.sysv.redhat +158 -0
data/pkg/logstash.upstart.ubuntu +20 -0
data/pkg/rpm/SOURCES/logstash.conf +26 -0
data/pkg/rpm/SOURCES/logstash.init +80 -0
data/pkg/rpm/SOURCES/logstash.logrotate +8 -0
data/pkg/rpm/SOURCES/logstash.sysconfig +3 -0
data/pkg/rpm/SOURCES/logstash.wrapper +105 -0
data/pkg/rpm/SPECS/logstash.spec +180 -0
data/pkg/rpm/readme.md +4 -0
data/pkg/ubuntu/after-install.sh +7 -0
data/pkg/ubuntu/before-install.sh +12 -0
data/pkg/ubuntu/before-remove.sh +13 -0
data/pull_release_note.rb +25 -0
data/require-analyze.rb +22 -0
data/spec/README.md +14 -0
data/spec/codecs/edn.rb +40 -0
data/spec/codecs/edn_lines.rb +53 -0
data/spec/codecs/graphite.rb +96 -0
data/spec/codecs/json.rb +57 -0
data/spec/codecs/json_lines.rb +51 -0
data/spec/codecs/json_spooler.rb +43 -0
data/spec/codecs/msgpack.rb +39 -0
data/spec/codecs/multiline.rb +60 -0
data/spec/codecs/oldlogstashjson.rb +55 -0
data/spec/codecs/plain.rb +35 -0
data/spec/codecs/spool.rb +35 -0
data/spec/conditionals/test.rb +323 -0
data/spec/config.rb +31 -0
data/spec/event.rb +165 -0
data/spec/examples/fail2ban.rb +28 -0
data/spec/examples/graphite-input.rb +41 -0
data/spec/examples/mysql-slow-query.rb +70 -0
data/spec/examples/parse-apache-logs.rb +66 -0
data/spec/examples/parse-haproxy-logs.rb +115 -0
data/spec/examples/syslog.rb +48 -0
data/spec/filters/alter.rb +96 -0
data/spec/filters/anonymize.rb +189 -0
data/spec/filters/checksum.rb +41 -0
data/spec/filters/clone.rb +67 -0
data/spec/filters/collate.rb +122 -0
data/spec/filters/csv.rb +174 -0
data/spec/filters/date.rb +285 -0
data/spec/filters/date_performance.rb +31 -0
data/spec/filters/dns.rb +159 -0
data/spec/filters/drop.rb +19 -0
data/spec/filters/elapsed.rb +294 -0
data/spec/filters/environment.rb +43 -0
data/spec/filters/geoip.rb +62 -0
data/spec/filters/grep.rb +342 -0
data/spec/filters/grok.rb +473 -0
data/spec/filters/grok/timeout2.rb +56 -0
data/spec/filters/grok/timeouts.rb +39 -0
data/spec/filters/i18n.rb +25 -0
data/spec/filters/json.rb +72 -0
data/spec/filters/json_encode.rb +37 -0
data/spec/filters/kv.rb +403 -0
data/spec/filters/metrics.rb +212 -0
data/spec/filters/multiline.rb +119 -0
data/spec/filters/mutate.rb +180 -0
data/spec/filters/noop.rb +221 -0
data/spec/filters/prune.rb +441 -0
data/spec/filters/punct.rb +18 -0
data/spec/filters/railsparallelrequest.rb +112 -0
data/spec/filters/range.rb +169 -0
data/spec/filters/split.rb +58 -0
data/spec/filters/translate.rb +70 -0
data/spec/filters/unique.rb +25 -0
data/spec/filters/useragent.rb +42 -0
data/spec/filters/xml.rb +157 -0
data/spec/inputs/file.rb +107 -0
data/spec/inputs/gelf.rb +52 -0
data/spec/inputs/generator.rb +30 -0
data/spec/inputs/imap.rb +60 -0
data/spec/inputs/redis.rb +63 -0
data/spec/inputs/relp.rb +70 -0
data/spec/inputs/tcp.rb +101 -0
data/spec/jar.rb +21 -0
data/spec/outputs/csv.rb +266 -0
data/spec/outputs/elasticsearch.rb +161 -0
data/spec/outputs/elasticsearch_http.rb +240 -0
data/spec/outputs/email.rb +173 -0
data/spec/outputs/file.rb +82 -0
data/spec/outputs/graphite.rb +236 -0
data/spec/outputs/redis.rb +127 -0
data/spec/speed.rb +20 -0
data/spec/sqlite-test.rb +81 -0
data/spec/support/LOGSTASH-733.rb +21 -0
data/spec/support/LOGSTASH-820.rb +25 -0
data/spec/support/akamai-grok.rb +26 -0
data/spec/support/date-http.rb +17 -0
data/spec/support/postwait1.rb +26 -0
data/spec/support/pull375.rb +21 -0
data/spec/test_utils.rb +125 -0
data/spec/util/fieldeval_spec.rb +44 -0
data/test/jenkins/config.xml.erb +74 -0
data/test/jenkins/create-jobs.rb +23 -0
data/test/jenkins/generatorjob.config.xml +66 -0
data/tools/Gemfile +14 -0
data/tools/Gemfile.jruby-1.9.lock +322 -0
data/tools/Gemfile.rbx-2.1.lock +516 -0
data/tools/Gemfile.ruby-1.9.1.lock +310 -0
data/tools/Gemfile.ruby-2.0.0.lock +310 -0
metadata +629 -0

data/lib/logstash/filters/metaevent.rb ADDED

@@ -0,0 +1,68 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+class LogStash::Filters::Metaevent < LogStash::Filters::Base
+  config_name "metaevent"
+  milestone 1
+  # syntax: `followed_by_tags => [ "tag", "tag" ]`
+  config :followed_by_tags, :validate => :array, :required => true
+  # syntax: `period => 60`
+  config :period, :validate => :number, :default => 5
+  def register
+    @logger.debug("registering")
+    @metaevents = []
+  end
+  def filter(event)
+    if filter?(event)
+      start_period(event)
+    elsif within_period(event)
+      if followed_by_tags_match(event)
+        trigger(event)
+      else
+        @logger.debug(["metaevent", @add_tag, "ignoring (tags don't match)", event])
+      end
+    else
+      @logger.debug(["metaevent", @add_tag, "ignoring (not in period)", event])
+    end
+  end
+  def flush
+    return if @metaevents.empty?
+    new_events = @metaevents
+    @metaevents = []
+    new_events
+  end
+  private
+  def start_period(event)
+    @logger.debug(["metaevent", @add_tag, "start_period", event])
+    @start_event = event
+  end
+  def trigger(event)
+    @logger.debug(["metaevent", @add_tag, "trigger", event])
+    event = LogStash::Event.new
+    event["source"] = Socket.gethostname
+    event["tags"] = [@add_tag]
+    @metaevents << event
+    @start_event = nil
+  end
+  def followed_by_tags_match(event)
+    (event["tags"] & @followed_by_tags).size == @followed_by_tags.size
+  end
+  def within_period(event)
+    time_delta = event["@timestamp"] - @start_event["@timestamp"]
+    time_delta >= 0 && time_delta <= @period
+  end
+end

data/lib/logstash/filters/metrics.rb ADDED

@@ -0,0 +1,237 @@
+# encoding: utf-8
+require "securerandom"
+require "logstash/filters/base"
+require "logstash/namespace"
+# The metrics filter is useful for aggregating metrics.
+#
+# For example, if you have a field 'response' that is
+# a http response code, and you want to count each
+# kind of response, you can do this:
+#
+#     filter {
+#       metrics {
+#         meter => [ "http.%{response}" ]
+#         add_tag => "metric"
+#       }
+#     }
+#
+# Metrics are flushed every 5 seconds by default or according to
+# 'flush_interval'. Metrics appear as
+# new events in the event stream and go through any filters
+# that occur after as well as outputs.
+#
+# In general, you will want to add a tag to your metrics and have an output
+# explicitly look for that tag.
+#
+# The event that is flushed will include every 'meter' and 'timer'
+# metric in the following way:
+#
+# #### 'meter' values
+#
+# For a `meter => "something"` you will receive the following fields:
+#
+# * "thing.count" - the total count of events
+# * "thing.rate_1m" - the 1-minute rate (sliding)
+# * "thing.rate_5m" - the 5-minute rate (sliding)
+# * "thing.rate_15m" - the 15-minute rate (sliding)
+#
+# #### 'timer' values
+#
+# For a `timer => [ "thing", "%{duration}" ]` you will receive the following fields:
+#
+# * "thing.count" - the total count of events
+# * "thing.rate_1m" - the 1-minute rate of events (sliding)
+# * "thing.rate_5m" - the 5-minute rate of events (sliding)
+# * "thing.rate_15m" - the 15-minute rate of events (sliding)
+# * "thing.min" - the minimum value seen for this metric
+# * "thing.max" - the maximum value seen for this metric
+# * "thing.stddev" - the standard deviation for this metric
+# * "thing.mean" - the mean for this metric
+#
+# #### Example: computing event rate
+#
+# For a simple example, let's track how many events per second are running
+# through logstash:
+#
+#     input {
+#       generator {
+#         type => "generated"
+#       }
+#     }
+#
+#     filter {
+#       metrics {
+#         type => "generated"
+#         meter => "events"
+#         add_tag => "metric"
+#       }
+#     }
+#
+#     output {
+#       stdout {
+#         # only emit events with the 'metric' tag
+#         tags => "metric"
+#         message => "rate: %{events.rate_1m}"
+#       }
+#     }
+#
+# Running the above:
+#
+#     % java -jar logstash.jar agent -f example.conf
+#     rate: 23721.983566819246
+#     rate: 24811.395722536377
+#     rate: 25875.892745934525
+#     rate: 26836.42375967113
+#
+# We see the output includes our 'events' 1-minute rate.
+#
+# In the real world, you would emit this to graphite or another metrics store,
+# like so:
+#
+#     output {
+#       graphite {
+#         metrics => [ "events.rate_1m", "%{events.rate_1m}" ]
+#       }
+#     }
+class LogStash::Filters::Metrics < LogStash::Filters::Base
+  config_name "metrics"
+  milestone 1
+  # syntax: `meter => [ "name of metric", "name of metric" ]`
+  config :meter, :validate => :array, :default => []
+  # syntax: `timer => [ "name of metric", "%{time_value}" ]`
+  config :timer, :validate => :hash, :default => {}
+  # Don't track events that have @timestamp older than some number of seconds.
+  #
+  # This is useful if you want to only include events that are near real-time
+  # in your metrics.
+  #
+  # Example, to only count events that are within 10 seconds of real-time, you
+  # would do this:
+  #
+  #     filter {
+  #       metrics {
+  #         meter => [ "hits" ]
+  #         ignore_older_than => 10
+  #       }
+  #     }
+  config :ignore_older_than, :validate => :number, :default => 0
+  # The flush interval, when the metrics event is created. Must be a multiple of 5s.
+  config :flush_interval, :validate => :number, :default => 5
+  # The clear interval, when all counter are reset.
+  #
+  # If set to -1, the default value, the metrics will never be cleared.
+  # Otherwise, should be a multiple of 5s.
+  config :clear_interval, :validate => :number, :default => -1
+  # The rates that should be measured, in minutes.
+  # Possible values are 1, 5, and 15.
+  config :rates, :validate => :array, :default => [1, 5, 15]
+  # The percentiles that should be measured
+  config :percentiles, :validate => :array, :default => [1, 5, 10, 90, 95, 99, 100]
+  def register
+    require "metriks"
+    require "socket"
+    @last_flush = 0 # how many seconds ago the metrics where flushed.
+    @last_clear = 0 # how many seconds ago the metrics where cleared.
+    @random_key_preffix = SecureRandom.hex
+    unless (@rates - [1, 5, 15]).empty?
+      raise LogStash::ConfigurationError, "Invalid rates configuration. possible rates are 1, 5, 15. Rates: #{rates}."
+    end
+    initialize_metrics
+  end # def register
+  def filter(event)
+    return unless filter?(event)
+    # TODO(piavlo): This should probably be moved to base filter class.
+    if @ignore_older_than > 0 && Time.now - event["@timestamp"] > @ignore_older_than
+      @logger.debug("Skipping metriks for old event", :event => event)
+      return
+    end
+    @meter.each do |m|
+      @metric_meters[event.sprintf(m)].mark
+    end
+    @timer.each do |name, value|
+      @metric_timers[event.sprintf(name)].update(event.sprintf(value).to_f)
+    end
+  end # def filter
+  def flush
+    # Add 5 seconds to @last_flush and @last_clear counters
+    # since this method is called every 5 seconds.
+    @last_flush += 5
+    @last_clear += 5
+    # Do nothing if there's nothing to do ;)
+    return unless should_flush?
+    event = LogStash::Event.new
+    event["message"] = Socket.gethostname
+    @metric_meters.each do |name, metric|
+      flush_rates event, name, metric
+      metric.clear if should_clear?
+    end
+    @metric_timers.each do |name, metric|
+      flush_rates event, name, metric
+      # These 4 values are not sliding, so they probably are not useful.
+      event["#{name}.min"] = metric.min
+      event["#{name}.max"] = metric.max
+      # timer's stddev currently returns variance, fix it.
+      event["#{name}.stddev"] = metric.stddev ** 0.5
+      event["#{name}.mean"] = metric.mean
+      @percentiles.each do |percentile|
+        event["#{name}.p#{percentile}"] = metric.snapshot.value(percentile / 100)
+      end
+      metric.clear if should_clear?
+    end
+    # Reset counter since metrics were flushed
+    @last_flush = 0
+    if should_clear?
+      #Reset counter since metrics were cleared
+      @last_clear = 0
+      initialize_metrics
+    end
+    filter_matched(event)
+    return [event]
+  end
+  private
+  def flush_rates(event, name, metric)
+      event["#{name}.count"] = metric.count
+      event["#{name}.rate_1m"] = metric.one_minute_rate if @rates.include? 1
+      event["#{name}.rate_5m"] = metric.five_minute_rate if @rates.include? 5
+      event["#{name}.rate_15m"] = metric.fifteen_minute_rate if @rates.include? 15
+  end
+  def initialize_metrics
+    @metric_meters = Hash.new { |h,k| h[k] = Metriks.meter metric_key(k) }
+    @metric_timers = Hash.new { |h,k| h[k] = Metriks.timer metric_key(k) }
+  end
+  def metric_key(key)
+    "#{@random_key_preffix}_#{key}"
+  end
+  def should_flush?
+    @last_flush >= @flush_interval && (@metric_meters.any? || @metric_timers.any?)
+  end
+  def should_clear?
+    @clear_interval > 0 && @last_clear >= @clear_interval
+  end
+end # class LogStash::Filters::Metrics

data/lib/logstash/filters/multiline.rb ADDED

@@ -0,0 +1,241 @@
+# encoding: utf-8
+# multiline filter
+#
+# This filter will collapse multiline messages into a single event.
+#
+require "logstash/filters/base"
+require "logstash/namespace"
+require "set"
+# The multiline filter is for combining multiple events from a single source
+# into the same event.
+#
+# The original goal of this filter was to allow joining of multi-line messages
+# from files into a single event. For example - joining java exception and
+# stacktrace messages into a single event.
+#
+# TODO(sissel): Document any issues?
+# The config looks like this:
+#
+#     filter {
+#       multiline {
+#         type => "type"
+#         pattern => "pattern, a regexp"
+#         negate => boolean
+#         what => "previous" or "next"
+#       }
+#     }
+#
+# The 'regexp' should match what you believe to be an indicator that
+# the field is part of a multi-line event
+#
+# The 'what' must be "previous" or "next" and indicates the relation
+# to the multi-line event.
+#
+# The 'negate' can be "true" or "false" (defaults false). If true, a
+# message not matching the pattern will constitute a match of the multiline
+# filter and the what will be applied. (vice-versa is also true)
+#
+# For example, java stack traces are multiline and usually have the message
+# starting at the far-left, then each subsequent line indented. Do this:
+#
+#     filter {
+#       multiline {
+#         type => "somefiletype"
+#         pattern => "^\s"
+#         what => "previous"
+#       }
+#     }
+#
+# This says that any line starting with whitespace belongs to the previous line.
+#
+# Another example is C line continuations (backslash). Here's how to do that:
+#
+#     filter {
+#       multiline {
+#         type => "somefiletype "
+#         pattern => "\\$"
+#         what => "next"
+#       }
+#     }
+#
+class LogStash::Filters::Multiline < LogStash::Filters::Base
+  config_name "multiline"
+  milestone 3
+  # The regular expression to match
+  config :pattern, :validate => :string, :required => true
+  # If the pattern matched, does event belong to the next or previous event?
+  config :what, :validate => ["previous", "next"], :required => true
+  # Negate the regexp pattern ('if not matched')
+  config :negate, :validate => :boolean, :default => false
+  # The stream identity is how the multiline filter determines which stream an
+  # event belongs. This is generally used for differentiating, say, events
+  # coming from multiple files in the same file input, or multiple connections
+  # coming from a tcp input.
+  #
+  # The default value here is usually what you want, but there are some cases
+  # where you want to change it. One such example is if you are using a tcp
+  # input with only one client connecting at any time. If that client
+  # reconnects (due to error or client restart), then logstash will identify
+  # the new connection as a new stream and break any multiline goodness that
+  # may have occurred between the old and new connection. To solve this use
+  # case, you can use "%{@source_host}.%{@type}" instead.
+  config :stream_identity , :validate => :string, :default => "%{host}.%{path}.%{type}"
+  # logstash ships by default with a bunch of patterns, so you don't
+  # necessarily need to define this yourself unless you are adding additional
+  # patterns.
+  #
+  # Pattern files are plain text with format:
+  #
+  #     NAME PATTERN
+  #
+  # For example:
+  #
+  #     NUMBER \d+
+  config :patterns_dir, :validate => :array, :default => []
+  # Detect if we are running from a jarfile, pick the right path.
+  @@patterns_path = Set.new
+  if __FILE__ =~ /file:\/.*\.jar!.*/
+    @@patterns_path += ["#{File.dirname(__FILE__)}/../../patterns/*"]
+  else
+    @@patterns_path += ["#{File.dirname(__FILE__)}/../../../patterns/*"]
+  end
+  public
+  def initialize(config = {})
+    super
+    @threadsafe = false
+    # This filter needs to keep state.
+    @types = Hash.new { |h,k| h[k] = [] }
+    @pending = Hash.new
+  end # def initialize
+  public
+  def register
+    require "grok-pure" # rubygem 'jls-grok'
+    @grok = Grok.new
+    @patterns_dir = @@patterns_path.to_a + @patterns_dir
+    @patterns_dir.each do |path|
+      # Can't read relative paths from jars, try to normalize away '../'
+      while path =~ /file:\/.*\.jar!.*\/\.\.\//
+        # replace /foo/bar/../baz => /foo/baz
+        path = path.gsub(/[^\/]+\/\.\.\//, "")
+      end
+      if File.directory?(path)
+        path = File.join(path, "*")
+      end
+      Dir.glob(path).each do |file|
+        @logger.info("Grok loading patterns from file", :path => file)
+        @grok.add_patterns_from_file(file)
+      end
+    end
+    @grok.compile(@pattern)
+    @logger.debug("Registered multiline plugin", :type => @type, :config => @config)
+  end # def register
+  public
+  def filter(event)
+    return unless filter?(event)
+    if event["message"].is_a?(Array)
+      match = @grok.match(event["message"].first)
+    else
+      match = @grok.match(event["message"])
+    end
+    key = event.sprintf(@stream_identity)
+    pending = @pending[key]
+    @logger.debug("Multiline", :pattern => @pattern, :message => event["message"],
+                  :match => match, :negate => @negate)
+    # Add negate option
+    match = (match and !@negate) || (!match and @negate)
+    case @what
+    when "previous"
+      if match
+        event.tag "multiline"
+        # previous previous line is part of this event.
+        # append it to the event and cancel it
+        if pending
+          pending.append(event)
+        else
+          @pending[key] = event
+        end
+        event.cancel
+      else
+        # this line is not part of the previous event
+        # if we have a pending event, it's done, send it.
+        # put the current event into pending
+        if pending
+          tmp = event.to_hash
+          event.overwrite(pending)
+          @pending[key] = LogStash::Event.new(tmp)
+        else
+          @pending[key] = event
+          event.cancel
+        end # if/else pending
+      end # if/else match
+    when "next"
+      if match
+        event.tag "multiline"
+        # this line is part of a multiline event, the next
+        # line will be part, too, put it into pending.
+        if pending
+          pending.append(event)
+        else
+          @pending[key] = event
+        end
+        event.cancel
+      else
+        # if we have something in pending, join it with this message
+        # and send it. otherwise, this is a new message and not part of
+        # multiline, send it.
+        if pending
+          pending.append(event)
+          event.overwrite(pending.to_hash)
+          @pending.delete(key)
+        end
+      end # if/else match
+    else
+      # TODO(sissel): Make this part of the 'register' method.
+      @logger.warn("Unknown multiline 'what' value.", :what => @what)
+    end # case @what
+    if !event.cancelled?
+      event["message"] = event["message"].join("\n") if event["message"].is_a?(Array)
+      event["@timestamp"] = event["@timestamp"].first if event["@timestamp"].is_a?(Array)
+      filter_matched(event) if match
+    end
+  end # def filter
+  # Flush any pending messages. This is generally used for unit testing only.
+  #
+  # Note: flush is disabled now; it is preferable to use the multiline codec.
+  public
+  def __flush
+    events = []
+    @pending.each do |key, value|
+      value.uncancel
+      events << value
+    end
+    @pending.clear
+    return events
+  end # def flush
+end # class LogStash::Filters::Multiline