RubyGems - logstash-lib - Versions diffs - 1.3.2 - Mend

logstash-lib 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (419) hide show

data/.gitignore +24 -0
data/.tailor +8 -0
data/.travis.yml +12 -0
data/CHANGELOG +1185 -0
data/CONTRIBUTING.md +61 -0
data/CONTRIBUTORS +79 -0
data/LICENSE +14 -0
data/Makefile +460 -0
data/README.md +120 -0
data/STYLE.md +96 -0
data/bin/logstash +37 -0
data/bin/logstash-test +4 -0
data/bin/logstash-web +4 -0
data/bin/logstash.lib.sh +78 -0
data/bot/check_pull_changelog.rb +89 -0
data/docs/configuration.md +260 -0
data/docs/docgen.rb +242 -0
data/docs/extending/example-add-a-new-filter.md +121 -0
data/docs/extending/index.md +91 -0
data/docs/flags.md +43 -0
data/docs/generate_index.rb +28 -0
data/docs/index.html.erb +56 -0
data/docs/learn.md +46 -0
data/docs/life-of-an-event.md +109 -0
data/docs/logging-tool-comparisons.md +60 -0
data/docs/plugin-doc.html.erb +91 -0
data/docs/plugin-milestones.md +41 -0
data/docs/plugin-synopsis.html.erb +24 -0
data/docs/release-engineering.md +46 -0
data/docs/release-test-results.md +14 -0
data/docs/repositories.md +35 -0
data/docs/tutorials/10-minute-walkthrough/apache-elasticsearch.conf +35 -0
data/docs/tutorials/10-minute-walkthrough/apache-parse.conf +33 -0
data/docs/tutorials/10-minute-walkthrough/apache_log.1 +1 -0
data/docs/tutorials/10-minute-walkthrough/apache_log.2.bz2 +0 -0
data/docs/tutorials/10-minute-walkthrough/hello-search.conf +25 -0
data/docs/tutorials/10-minute-walkthrough/hello.conf +16 -0
data/docs/tutorials/10-minute-walkthrough/index.md +124 -0
data/docs/tutorials/10-minute-walkthrough/step-5-output.txt +17 -0
data/docs/tutorials/getting-started-centralized-overview-diagram.png +0 -0
data/docs/tutorials/getting-started-centralized-overview-diagram.xml +1 -0
data/docs/tutorials/getting-started-centralized.md +217 -0
data/docs/tutorials/getting-started-simple.md +200 -0
data/docs/tutorials/just-enough-rabbitmq-for-logstash.md +201 -0
data/docs/tutorials/media/frontend-response-codes.png +0 -0
data/docs/tutorials/metrics-from-logs.md +84 -0
data/docs/tutorials/zeromq.md +118 -0
data/extract_services.rb +29 -0
data/gembag.rb +64 -0
data/lib/logstash-event.rb +2 -0
data/lib/logstash.rb +4 -0
data/lib/logstash/JRUBY-6970-openssl.rb +22 -0
data/lib/logstash/JRUBY-6970.rb +102 -0
data/lib/logstash/agent.rb +305 -0
data/lib/logstash/certs/cacert.pem +3895 -0
data/lib/logstash/codecs/base.rb +49 -0
data/lib/logstash/codecs/compress_spooler.rb +50 -0
data/lib/logstash/codecs/dots.rb +18 -0
data/lib/logstash/codecs/edn.rb +28 -0
data/lib/logstash/codecs/edn_lines.rb +36 -0
data/lib/logstash/codecs/fluent.rb +55 -0
data/lib/logstash/codecs/graphite.rb +114 -0
data/lib/logstash/codecs/json.rb +41 -0
data/lib/logstash/codecs/json_lines.rb +52 -0
data/lib/logstash/codecs/json_spooler.rb +22 -0
data/lib/logstash/codecs/line.rb +58 -0
data/lib/logstash/codecs/msgpack.rb +43 -0
data/lib/logstash/codecs/multiline.rb +189 -0
data/lib/logstash/codecs/netflow.rb +342 -0
data/lib/logstash/codecs/netflow/util.rb +212 -0
data/lib/logstash/codecs/noop.rb +19 -0
data/lib/logstash/codecs/oldlogstashjson.rb +56 -0
data/lib/logstash/codecs/plain.rb +48 -0
data/lib/logstash/codecs/rubydebug.rb +22 -0
data/lib/logstash/codecs/spool.rb +38 -0
data/lib/logstash/config/Makefile +4 -0
data/lib/logstash/config/config_ast.rb +380 -0
data/lib/logstash/config/file.rb +39 -0
data/lib/logstash/config/grammar.rb +3504 -0
data/lib/logstash/config/grammar.treetop +241 -0
data/lib/logstash/config/mixin.rb +464 -0
data/lib/logstash/config/registry.rb +13 -0
data/lib/logstash/config/test.conf +18 -0
data/lib/logstash/errors.rb +10 -0
data/lib/logstash/event.rb +262 -0
data/lib/logstash/filters/advisor.rb +178 -0
data/lib/logstash/filters/alter.rb +173 -0
data/lib/logstash/filters/anonymize.rb +93 -0
data/lib/logstash/filters/base.rb +190 -0
data/lib/logstash/filters/checksum.rb +50 -0
data/lib/logstash/filters/cidr.rb +76 -0
data/lib/logstash/filters/cipher.rb +145 -0
data/lib/logstash/filters/clone.rb +35 -0
data/lib/logstash/filters/collate.rb +114 -0
data/lib/logstash/filters/csv.rb +94 -0
data/lib/logstash/filters/date.rb +244 -0
data/lib/logstash/filters/dns.rb +201 -0
data/lib/logstash/filters/drop.rb +32 -0
data/lib/logstash/filters/elapsed.rb +256 -0
data/lib/logstash/filters/elasticsearch.rb +73 -0
data/lib/logstash/filters/environment.rb +27 -0
data/lib/logstash/filters/extractnumbers.rb +84 -0
data/lib/logstash/filters/gelfify.rb +52 -0
data/lib/logstash/filters/geoip.rb +145 -0
data/lib/logstash/filters/grep.rb +153 -0
data/lib/logstash/filters/grok.rb +425 -0
data/lib/logstash/filters/grokdiscovery.rb +75 -0
data/lib/logstash/filters/i18n.rb +51 -0
data/lib/logstash/filters/json.rb +90 -0
data/lib/logstash/filters/json_encode.rb +52 -0
data/lib/logstash/filters/kv.rb +232 -0
data/lib/logstash/filters/metaevent.rb +68 -0
data/lib/logstash/filters/metrics.rb +237 -0
data/lib/logstash/filters/multiline.rb +241 -0
data/lib/logstash/filters/mutate.rb +399 -0
data/lib/logstash/filters/noop.rb +21 -0
data/lib/logstash/filters/prune.rb +149 -0
data/lib/logstash/filters/punct.rb +32 -0
data/lib/logstash/filters/railsparallelrequest.rb +86 -0
data/lib/logstash/filters/range.rb +142 -0
data/lib/logstash/filters/ruby.rb +42 -0
data/lib/logstash/filters/sleep.rb +111 -0
data/lib/logstash/filters/split.rb +64 -0
data/lib/logstash/filters/sumnumbers.rb +73 -0
data/lib/logstash/filters/syslog_pri.rb +107 -0
data/lib/logstash/filters/translate.rb +121 -0
data/lib/logstash/filters/unique.rb +29 -0
data/lib/logstash/filters/urldecode.rb +57 -0
data/lib/logstash/filters/useragent.rb +112 -0
data/lib/logstash/filters/uuid.rb +58 -0
data/lib/logstash/filters/xml.rb +139 -0
data/lib/logstash/filters/zeromq.rb +123 -0
data/lib/logstash/filterworker.rb +122 -0
data/lib/logstash/inputs/base.rb +125 -0
data/lib/logstash/inputs/collectd.rb +306 -0
data/lib/logstash/inputs/drupal_dblog.rb +323 -0
data/lib/logstash/inputs/drupal_dblog/jdbcconnection.rb +66 -0
data/lib/logstash/inputs/elasticsearch.rb +140 -0
data/lib/logstash/inputs/eventlog.rb +129 -0
data/lib/logstash/inputs/eventlog/racob_fix.rb +44 -0
data/lib/logstash/inputs/exec.rb +69 -0
data/lib/logstash/inputs/file.rb +146 -0
data/lib/logstash/inputs/ganglia.rb +127 -0
data/lib/logstash/inputs/ganglia/gmondpacket.rb +146 -0
data/lib/logstash/inputs/ganglia/xdr.rb +327 -0
data/lib/logstash/inputs/gelf.rb +138 -0
data/lib/logstash/inputs/gemfire.rb +222 -0
data/lib/logstash/inputs/generator.rb +97 -0
data/lib/logstash/inputs/graphite.rb +41 -0
data/lib/logstash/inputs/heroku.rb +51 -0
data/lib/logstash/inputs/imap.rb +136 -0
data/lib/logstash/inputs/irc.rb +84 -0
data/lib/logstash/inputs/log4j.rb +136 -0
data/lib/logstash/inputs/lumberjack.rb +53 -0
data/lib/logstash/inputs/pipe.rb +57 -0
data/lib/logstash/inputs/rabbitmq.rb +126 -0
data/lib/logstash/inputs/rabbitmq/bunny.rb +118 -0
data/lib/logstash/inputs/rabbitmq/hot_bunnies.rb +1 -0
data/lib/logstash/inputs/rabbitmq/march_hare.rb +129 -0
data/lib/logstash/inputs/redis.rb +263 -0
data/lib/logstash/inputs/relp.rb +106 -0
data/lib/logstash/inputs/s3.rb +279 -0
data/lib/logstash/inputs/snmptrap.rb +87 -0
data/lib/logstash/inputs/sqlite.rb +185 -0
data/lib/logstash/inputs/sqs.rb +172 -0
data/lib/logstash/inputs/stdin.rb +46 -0
data/lib/logstash/inputs/stomp.rb +84 -0
data/lib/logstash/inputs/syslog.rb +237 -0
data/lib/logstash/inputs/tcp.rb +231 -0
data/lib/logstash/inputs/threadable.rb +18 -0
data/lib/logstash/inputs/twitter.rb +82 -0
data/lib/logstash/inputs/udp.rb +81 -0
data/lib/logstash/inputs/unix.rb +163 -0
data/lib/logstash/inputs/varnishlog.rb +48 -0
data/lib/logstash/inputs/websocket.rb +50 -0
data/lib/logstash/inputs/wmi.rb +72 -0
data/lib/logstash/inputs/xmpp.rb +81 -0
data/lib/logstash/inputs/zenoss.rb +143 -0
data/lib/logstash/inputs/zeromq.rb +165 -0
data/lib/logstash/kibana.rb +113 -0
data/lib/logstash/loadlibs.rb +9 -0
data/lib/logstash/logging.rb +89 -0
data/lib/logstash/monkeypatches-for-bugs.rb +2 -0
data/lib/logstash/monkeypatches-for-debugging.rb +47 -0
data/lib/logstash/monkeypatches-for-performance.rb +66 -0
data/lib/logstash/multiqueue.rb +53 -0
data/lib/logstash/namespace.rb +16 -0
data/lib/logstash/outputs/base.rb +120 -0
data/lib/logstash/outputs/boundary.rb +116 -0
data/lib/logstash/outputs/circonus.rb +78 -0
data/lib/logstash/outputs/cloudwatch.rb +351 -0
data/lib/logstash/outputs/csv.rb +55 -0
data/lib/logstash/outputs/datadog.rb +93 -0
data/lib/logstash/outputs/datadog_metrics.rb +123 -0
data/lib/logstash/outputs/elasticsearch.rb +332 -0
data/lib/logstash/outputs/elasticsearch/elasticsearch-template.json +44 -0
data/lib/logstash/outputs/elasticsearch_http.rb +256 -0
data/lib/logstash/outputs/elasticsearch_river.rb +214 -0
data/lib/logstash/outputs/email.rb +299 -0
data/lib/logstash/outputs/exec.rb +40 -0
data/lib/logstash/outputs/file.rb +180 -0
data/lib/logstash/outputs/ganglia.rb +75 -0
data/lib/logstash/outputs/gelf.rb +208 -0
data/lib/logstash/outputs/gemfire.rb +103 -0
data/lib/logstash/outputs/google_bigquery.rb +570 -0
data/lib/logstash/outputs/google_cloud_storage.rb +431 -0
data/lib/logstash/outputs/graphite.rb +143 -0
data/lib/logstash/outputs/graphtastic.rb +185 -0
data/lib/logstash/outputs/hipchat.rb +80 -0
data/lib/logstash/outputs/http.rb +142 -0
data/lib/logstash/outputs/irc.rb +80 -0
data/lib/logstash/outputs/jira.rb +109 -0
data/lib/logstash/outputs/juggernaut.rb +105 -0
data/lib/logstash/outputs/librato.rb +146 -0
data/lib/logstash/outputs/loggly.rb +93 -0
data/lib/logstash/outputs/lumberjack.rb +51 -0
data/lib/logstash/outputs/metriccatcher.rb +103 -0
data/lib/logstash/outputs/mongodb.rb +81 -0
data/lib/logstash/outputs/nagios.rb +119 -0
data/lib/logstash/outputs/nagios_nsca.rb +123 -0
data/lib/logstash/outputs/null.rb +18 -0
data/lib/logstash/outputs/opentsdb.rb +101 -0
data/lib/logstash/outputs/pagerduty.rb +79 -0
data/lib/logstash/outputs/pipe.rb +132 -0
data/lib/logstash/outputs/rabbitmq.rb +96 -0
data/lib/logstash/outputs/rabbitmq/bunny.rb +135 -0
data/lib/logstash/outputs/rabbitmq/hot_bunnies.rb +1 -0
data/lib/logstash/outputs/rabbitmq/march_hare.rb +143 -0
data/lib/logstash/outputs/redis.rb +245 -0
data/lib/logstash/outputs/riak.rb +152 -0
data/lib/logstash/outputs/riemann.rb +109 -0
data/lib/logstash/outputs/s3.rb +356 -0
data/lib/logstash/outputs/sns.rb +124 -0
data/lib/logstash/outputs/solr_http.rb +78 -0
data/lib/logstash/outputs/sqs.rb +141 -0
data/lib/logstash/outputs/statsd.rb +116 -0
data/lib/logstash/outputs/stdout.rb +53 -0
data/lib/logstash/outputs/stomp.rb +67 -0
data/lib/logstash/outputs/syslog.rb +145 -0
data/lib/logstash/outputs/tcp.rb +145 -0
data/lib/logstash/outputs/udp.rb +38 -0
data/lib/logstash/outputs/websocket.rb +46 -0
data/lib/logstash/outputs/websocket/app.rb +29 -0
data/lib/logstash/outputs/websocket/pubsub.rb +45 -0
data/lib/logstash/outputs/xmpp.rb +78 -0
data/lib/logstash/outputs/zabbix.rb +108 -0
data/lib/logstash/outputs/zeromq.rb +125 -0
data/lib/logstash/pipeline.rb +286 -0
data/lib/logstash/plugin.rb +150 -0
data/lib/logstash/plugin_mixins/aws_config.rb +93 -0
data/lib/logstash/program.rb +15 -0
data/lib/logstash/runner.rb +238 -0
data/lib/logstash/sized_queue.rb +8 -0
data/lib/logstash/test.rb +183 -0
data/lib/logstash/threadwatchdog.rb +37 -0
data/lib/logstash/time_addon.rb +33 -0
data/lib/logstash/util.rb +106 -0
data/lib/logstash/util/buftok.rb +139 -0
data/lib/logstash/util/charset.rb +39 -0
data/lib/logstash/util/fieldreference.rb +50 -0
data/lib/logstash/util/password.rb +25 -0
data/lib/logstash/util/prctl.rb +11 -0
data/lib/logstash/util/relp.rb +326 -0
data/lib/logstash/util/require-helper.rb +18 -0
data/lib/logstash/util/socket_peer.rb +7 -0
data/lib/logstash/util/zenoss.rb +566 -0
data/lib/logstash/util/zeromq.rb +47 -0
data/lib/logstash/version.rb +6 -0
data/locales/en.yml +170 -0
data/logstash-event.gemspec +29 -0
data/logstash.gemspec +128 -0
data/patterns/firewalls +60 -0
data/patterns/grok-patterns +91 -0
data/patterns/haproxy +37 -0
data/patterns/java +3 -0
data/patterns/linux-syslog +14 -0
data/patterns/mcollective +1 -0
data/patterns/mcollective-patterns +4 -0
data/patterns/nagios +108 -0
data/patterns/postgresql +3 -0
data/patterns/redis +3 -0
data/patterns/ruby +2 -0
data/pkg/build.sh +135 -0
data/pkg/centos/after-install.sh +1 -0
data/pkg/centos/before-install.sh +10 -0
data/pkg/centos/before-remove.sh +11 -0
data/pkg/centos/sysconfig +15 -0
data/pkg/debian/after-install.sh +5 -0
data/pkg/debian/before-install.sh +13 -0
data/pkg/debian/before-remove.sh +13 -0
data/pkg/debian/build.sh +34 -0
data/pkg/debian/debian/README +6 -0
data/pkg/debian/debian/changelog +17 -0
data/pkg/debian/debian/compat +1 -0
data/pkg/debian/debian/control +16 -0
data/pkg/debian/debian/copyright +27 -0
data/pkg/debian/debian/dirs +19 -0
data/pkg/debian/debian/docs +0 -0
data/pkg/debian/debian/logstash.default +39 -0
data/pkg/debian/debian/logstash.init +201 -0
data/pkg/debian/debian/logstash.install +1 -0
data/pkg/debian/debian/logstash.logrotate +9 -0
data/pkg/debian/debian/logstash.postinst +68 -0
data/pkg/debian/debian/logstash.postrm +23 -0
data/pkg/debian/debian/manpage.1.ex +59 -0
data/pkg/debian/debian/preinst.ex +37 -0
data/pkg/debian/debian/prerm.ex +40 -0
data/pkg/debian/debian/release.conf +5 -0
data/pkg/debian/debian/rules +80 -0
data/pkg/debian/debian/watch.ex +22 -0
data/pkg/logrotate.conf +8 -0
data/pkg/logstash-web.default +41 -0
data/pkg/logstash-web.sysv.debian +201 -0
data/pkg/logstash-web.upstart.ubuntu +18 -0
data/pkg/logstash.default +45 -0
data/pkg/logstash.sysv.debian +202 -0
data/pkg/logstash.sysv.redhat +158 -0
data/pkg/logstash.upstart.ubuntu +20 -0
data/pkg/rpm/SOURCES/logstash.conf +26 -0
data/pkg/rpm/SOURCES/logstash.init +80 -0
data/pkg/rpm/SOURCES/logstash.logrotate +8 -0
data/pkg/rpm/SOURCES/logstash.sysconfig +3 -0
data/pkg/rpm/SOURCES/logstash.wrapper +105 -0
data/pkg/rpm/SPECS/logstash.spec +180 -0
data/pkg/rpm/readme.md +4 -0
data/pkg/ubuntu/after-install.sh +7 -0
data/pkg/ubuntu/before-install.sh +12 -0
data/pkg/ubuntu/before-remove.sh +13 -0
data/pull_release_note.rb +25 -0
data/require-analyze.rb +22 -0
data/spec/README.md +14 -0
data/spec/codecs/edn.rb +40 -0
data/spec/codecs/edn_lines.rb +53 -0
data/spec/codecs/graphite.rb +96 -0
data/spec/codecs/json.rb +57 -0
data/spec/codecs/json_lines.rb +51 -0
data/spec/codecs/json_spooler.rb +43 -0
data/spec/codecs/msgpack.rb +39 -0
data/spec/codecs/multiline.rb +60 -0
data/spec/codecs/oldlogstashjson.rb +55 -0
data/spec/codecs/plain.rb +35 -0
data/spec/codecs/spool.rb +35 -0
data/spec/conditionals/test.rb +323 -0
data/spec/config.rb +31 -0
data/spec/event.rb +165 -0
data/spec/examples/fail2ban.rb +28 -0
data/spec/examples/graphite-input.rb +41 -0
data/spec/examples/mysql-slow-query.rb +70 -0
data/spec/examples/parse-apache-logs.rb +66 -0
data/spec/examples/parse-haproxy-logs.rb +115 -0
data/spec/examples/syslog.rb +48 -0
data/spec/filters/alter.rb +96 -0
data/spec/filters/anonymize.rb +189 -0
data/spec/filters/checksum.rb +41 -0
data/spec/filters/clone.rb +67 -0
data/spec/filters/collate.rb +122 -0
data/spec/filters/csv.rb +174 -0
data/spec/filters/date.rb +285 -0
data/spec/filters/date_performance.rb +31 -0
data/spec/filters/dns.rb +159 -0
data/spec/filters/drop.rb +19 -0
data/spec/filters/elapsed.rb +294 -0
data/spec/filters/environment.rb +43 -0
data/spec/filters/geoip.rb +62 -0
data/spec/filters/grep.rb +342 -0
data/spec/filters/grok.rb +473 -0
data/spec/filters/grok/timeout2.rb +56 -0
data/spec/filters/grok/timeouts.rb +39 -0
data/spec/filters/i18n.rb +25 -0
data/spec/filters/json.rb +72 -0
data/spec/filters/json_encode.rb +37 -0
data/spec/filters/kv.rb +403 -0
data/spec/filters/metrics.rb +212 -0
data/spec/filters/multiline.rb +119 -0
data/spec/filters/mutate.rb +180 -0
data/spec/filters/noop.rb +221 -0
data/spec/filters/prune.rb +441 -0
data/spec/filters/punct.rb +18 -0
data/spec/filters/railsparallelrequest.rb +112 -0
data/spec/filters/range.rb +169 -0
data/spec/filters/split.rb +58 -0
data/spec/filters/translate.rb +70 -0
data/spec/filters/unique.rb +25 -0
data/spec/filters/useragent.rb +42 -0
data/spec/filters/xml.rb +157 -0
data/spec/inputs/file.rb +107 -0
data/spec/inputs/gelf.rb +52 -0
data/spec/inputs/generator.rb +30 -0
data/spec/inputs/imap.rb +60 -0
data/spec/inputs/redis.rb +63 -0
data/spec/inputs/relp.rb +70 -0
data/spec/inputs/tcp.rb +101 -0
data/spec/jar.rb +21 -0
data/spec/outputs/csv.rb +266 -0
data/spec/outputs/elasticsearch.rb +161 -0
data/spec/outputs/elasticsearch_http.rb +240 -0
data/spec/outputs/email.rb +173 -0
data/spec/outputs/file.rb +82 -0
data/spec/outputs/graphite.rb +236 -0
data/spec/outputs/redis.rb +127 -0
data/spec/speed.rb +20 -0
data/spec/sqlite-test.rb +81 -0
data/spec/support/LOGSTASH-733.rb +21 -0
data/spec/support/LOGSTASH-820.rb +25 -0
data/spec/support/akamai-grok.rb +26 -0
data/spec/support/date-http.rb +17 -0
data/spec/support/postwait1.rb +26 -0
data/spec/support/pull375.rb +21 -0
data/spec/test_utils.rb +125 -0
data/spec/util/fieldeval_spec.rb +44 -0
data/test/jenkins/config.xml.erb +74 -0
data/test/jenkins/create-jobs.rb +23 -0
data/test/jenkins/generatorjob.config.xml +66 -0
data/tools/Gemfile +14 -0
data/tools/Gemfile.jruby-1.9.lock +322 -0
data/tools/Gemfile.rbx-2.1.lock +516 -0
data/tools/Gemfile.ruby-1.9.1.lock +310 -0
data/tools/Gemfile.ruby-2.0.0.lock +310 -0
metadata +629 -0

data/spec/filters/environment.rb ADDED

@@ -0,0 +1,43 @@
+require "test_utils"
+require "logstash/filters/environment"
+describe LogStash::Filters::Environment do
+  extend LogStash::RSpec
+  describe "add a field from the environment" do
+    # The logstash config goes here.
+    # At this time, only filters are supported.
+    config <<-CONFIG
+      filter {
+        environment {
+          add_field_from_env => [ "newfield", "MY_ENV_VAR" ]
+        }
+      }
+    CONFIG
+    ENV["MY_ENV_VAR"] = "hello world"
+    sample "example" do
+      insist { subject["newfield"] } == "hello world"
+    end
+  end
+  describe "does nothing on non-matching events" do
+    # The logstash config goes here.
+    # At this time, only filters are supported.
+    config <<-CONFIG
+      filter {
+        environment {
+          type => "foo"
+          add_field_from_env => [ "newfield", "MY_ENV_VAR" ]
+        }
+      }
+    CONFIG
+    ENV["MY_ENV_VAR"] = "hello world"
+    sample("type" => "bar", "message" => "fizz") do
+      insist { subject["newfield"] }.nil?
+    end
+  end
+end

data/spec/filters/geoip.rb ADDED

@@ -0,0 +1,62 @@
+require "test_utils"
+require "logstash/filters/geoip"
+describe LogStash::Filters::GeoIP do
+  extend LogStash::RSpec
+  describe "defaults" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+          #database => "vendor/geoip/GeoLiteCity.dat"
+        }
+      }
+    CONFIG
+    sample("ip" => "8.8.8.8") do
+      insist { subject }.include?("geoip")
+      expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           latitude longitude dma_code area_code timezone
+                           location )
+      expected_fields.each do |f|
+        insist { subject["geoip"] }.include?(f)
+      end
+    end
+    sample("ip" => "127.0.0.1") do
+      # assume geoip fails on localhost lookups
+      reject { subject }.include?("geoip")
+    end
+  end
+  describe "Specify the target" do
+    config <<-CONFIG
+      filter {
+        geoip {
+          source => "ip"
+          #database => "vendor/geoip/GeoLiteCity.dat"
+          target => src_ip
+        }
+      }
+    CONFIG
+    sample("ip" => "8.8.8.8") do
+      insist { subject }.include?("src_ip")
+      expected_fields = %w(ip country_code2 country_code3 country_name
+                           continent_code region_name city_name postal_code
+                           latitude longitude dma_code area_code timezone
+                           location )
+      expected_fields.each do |f|
+        insist { subject["src_ip"] }.include?(f)
+      end
+    end
+    sample("ip" => "127.0.0.1") do
+      # assume geoip fails on localhost lookups
+      reject { subject }.include?("src_ip")
+    end
+  end
+end

data/spec/filters/grep.rb ADDED

@@ -0,0 +1,342 @@
+require "test_utils"
+require "logstash/filters/grep"
+describe LogStash::Filters::Grep do
+  extend LogStash::RSpec
+  describe "single grep match" do
+    config <<-CONFIG
+      filter {
+        grep {
+          match => [ "str", "test" ]
+        }
+      }
+    CONFIG
+    sample("str" => "test: this should not be dropped") do
+      reject { subject }.nil?
+    end
+    sample("str" => "foo: this should be dropped") do
+      insist { subject }.nil?
+    end
+  end
+  describe "single match failure cancels the event" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str",  "test" ]
+      }
+    }
+    CONFIG
+    sample("str" => "foo: this should be dropped") do
+      insist { subject }.nil?
+    end
+  end
+  describe "single match failure does not cancel the event with drop set to false" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        drop => false
+      }
+    }
+    CONFIG
+    sample("str" => "foo: this should not be dropped") do
+      reject { subject }.nil?
+    end
+  end
+  describe "multiple match conditions" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [
+          "str", "test",
+          "bar", "baz"
+        ]
+      }
+    }
+    CONFIG
+    sample("str" => "test: this should not be dropped", "bar" => "foo baz foo") do
+      reject { subject }.nil?
+    end
+  end
+  describe "multiple match conditions should cancel on failure" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [
+          "str", "test",
+          "bar", "baz"
+        ]
+      }
+    }
+    CONFIG
+    sample("str" => "test: this should be dropped", "bar" => "foo bAz foo") do
+      insist { subject }.nil?
+    end
+  end
+  describe "single condition with regexp syntax" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "(?i)test.*foo"]
+      }
+    }
+    CONFIG
+    sample("str" => "TeST regexp match FoO") do
+      reject { subject }.nil?
+    end
+  end
+  describe "single condition with regexp syntax cancels on failure" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test.*foo" ]
+      }
+    }
+    CONFIG
+    sample("str" => "TeST regexp match FoO") do
+      insist { subject }.nil?
+    end
+  end
+  describe "adding one field on success" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        add_field => ["new_field", "new_value"]
+      }
+    }
+    CONFIG
+    sample("str" => "test") do
+      reject { subject }.nil?
+      insist { subject["new_field"]} == "new_value"
+    end
+  end
+  describe "adding one field with a sprintf value" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        add_field => ["new_field", "%{type}"]
+      }
+    }
+    CONFIG
+    sample("type" => "grepper", "str" => "test") do
+      reject { subject }.nil?
+      insist { subject["new_field"]} == subject["type"]
+    end
+  end
+  # following test was __DISABLED_FOR_NOW_, remember why ?
+  # Seems to be multi-match several time on the same field not allowed
+  # maybe a clearer test on multi-match on same field could be created
+  # Also add_field behaviour tested separately in new NOOP test for add_field
+  # describe "adding fields on successful multiple match" do
+  #   config <<-CONFIG
+  #   filter {
+  #     grep {
+  #       match => [ "str", "test" ]
+  #       add_field => ["new_field", "new_value"]
+  #       match => [ "str", ".*" ]
+  #       add_field => ["new_field", "new_value_2"]
+  #     }
+  #   }
+  #   CONFIG
+  #
+  #   sample("type" => "grepper", "str" => "test") do
+  #     reject { subject }.nil?
+  #     insist { subject["new_field"]} == ["new_value", "new_value_2"]
+  #   end
+  # end
+  describe "add tags" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        add_tag => ["new_tag"]
+      }
+    }
+    CONFIG
+    sample("tags" => ["tag"], "str" => "test") do
+      reject { subject }.nil?
+      insist { subject["tags"]} == ["tag", "new_tag"]
+    end
+  end
+  describe "add tags with drop set to false tags matching events" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        drop => false
+        add_tag => ["new_tag"]
+      }
+    }
+    CONFIG
+    sample("tags" => ["tag"], "str" => "test") do
+      reject { subject }.nil?
+      insist { subject["tags"]} == ["tag", "new_tag"]
+    end
+  end
+  describe "add tags with drop set to false allows non-matching events through" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        drop => false
+        add_tag => ["new_tag"]
+      }
+    }
+    CONFIG
+    sample("tags" => ["tag"], "str" => "non-matching") do
+      reject { subject }.nil?
+      insist { subject["tags"]} == ["tag"]
+    end
+  end
+  describe "add tags with sprintf value" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "test" ]
+        add_tag => ["%{str}"]
+      }
+    }
+    CONFIG
+    sample("tags" => ["tag"], "str" => "test") do
+      reject { subject }.nil?
+      insist { subject["tags"]} == ["tag", subject["str"]]
+    end
+  end
+  describe "negate=true should not cause drops when field is nil" do
+    # Set negate to true; the pattern being searched doesn't actually matter
+    # here. We're testing to make sure "grep -v" behavior doesn't drop events
+    # that don't even have the field being filtered for.
+    config <<-CONFIG
+    filter {
+      grep {
+        match => [ "str", "doesn't matter lol" ]
+        negate => true
+      }
+    }
+    CONFIG
+    sample("tags" => ["tag"], "str" => nil) do
+      reject { subject }.nil?
+    end
+  end
+  #LOGSTASH-599
+  describe "drop line based on type and tags 'matching' only but otherwise pattern matching" do
+    config <<-CONFIG
+    filter {
+      grep {
+        type => "testing"
+        tags => ["_grokparsefailure"]
+        negate => true
+      }
+    }
+    CONFIG
+    sample("type" => "testing", "tags" => ["_grokparsefailure"], "str" => "test") do
+      insist { subject }.nil?
+    end
+  end
+  #LOGSTASH-894 and LOGSTASH-919
+  describe "repeat a field in match config, similar to piped grep command line" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => ["message", "hello", "message", "world"]
+      }
+    }
+    CONFIG
+    #both match
+    sample "hello world" do
+      reject { subject }.nil?
+    end
+    #one match
+    sample "bye world" do
+      insist { subject }.nil?
+    end
+    #one match
+    sample "hello Jordan" do
+      insist { subject }.nil?
+    end
+    #no match
+    sample "WTF" do
+      insist { subject }.nil?
+    end
+  end
+  describe "repeat a field in match config, similar to several -e in grep command line" do
+    config <<-CONFIG
+    filter {
+      grep {
+        match => ["message", "hello", "message", "world"]
+        negate => true
+      }
+    }
+    CONFIG
+    #both match
+    sample "hello world" do
+      insist { subject }.nil?
+    end
+    #one match
+    sample "bye world" do
+      insist { subject }.nil?
+    end
+    #one match
+    sample "hello Jordan" do
+      insist { subject }.nil?
+    end
+    #no match
+    sample "WTF" do
+      reject { subject }.nil?
+    end
+  end
+  describe "case-insensitive matching" do
+    config <<-CONFIG
+      filter {
+        grep {
+          ignore_case => true
+          match => [ "str", "test" ]
+        }
+      }
+    CONFIG
+    sample("str" => "tEsT: this should still be matched") do
+      reject { subject }.nil?
+    end
+  end
+end

data/spec/filters/grok.rb ADDED

@@ -0,0 +1,473 @@
+require "test_utils"
+require "logstash/filters/grok"
+describe LogStash::Filters::Grok do
+  extend LogStash::RSpec
+  describe "simple syslog line" do
+    # The logstash config goes here.
+    # At this time, only filters are supported.
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message", "%{SYSLOGLINE}" ]
+          singles => true
+          overwrite => [ "message" ]
+        }
+      }
+    CONFIG
+    sample "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]" do
+      insist { subject["tags"] }.nil?
+      insist { subject["logsource"] } == "evita"
+      insist { subject["timestamp"] } == "Mar 16 00:01:25"
+      insist { subject["message"] } == "connect from camomile.cloud9.net[168.100.1.3]"
+      insist { subject["program"] } == "postfix/smtpd"
+      insist { subject["pid"] } == "1713"
+    end
+  end
+  describe "ietf 5424 syslog line" do
+    # The logstash config goes here.
+    # At this time, only filters are supported.
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "%{SYSLOG5424LINE}" ]
+          singles => true
+        }
+      }
+    CONFIG
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - [id1 foo=\"bar\"][id2 baz=\"something\"] Hello, syslog." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == "4123"
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == "[id1 foo=\"bar\"][id2 baz=\"something\"]"
+      insist { subject["syslog5424_msg"] } == "Hello, syslog."
+    end
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - [id1 foo=\"bar\"] No process ID." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == nil
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == "[id1 foo=\"bar\"]"
+      insist { subject["syslog5424_msg"] } == "No process ID."
+    end
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - - No structured data." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == "4123"
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == nil
+      insist { subject["syslog5424_msg"] } == "No structured data."
+    end
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug - - - No PID or SD." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == nil
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == nil
+      insist { subject["syslog5424_msg"] } == "No PID or SD."
+    end
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 -  Missing structured data." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == "4123"
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == nil
+      insist { subject["syslog5424_msg"] } == "Missing structured data."
+    end
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug  4123 - - Additional spaces." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == "4123"
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == nil
+      insist { subject["syslog5424_msg"] } == "Additional spaces."
+    end
+    sample "<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug  4123 -  Additional spaces and missing SD." do
+      insist { subject["tags"] }.nil?
+      insist { subject["syslog5424_pri"] } == "191"
+      insist { subject["syslog5424_ver"] } == "1"
+      insist { subject["syslog5424_ts"] } == "2009-06-30T18:30:00+02:00"
+      insist { subject["syslog5424_host"] } == "paxton.local"
+      insist { subject["syslog5424_app"] } == "grokdebug"
+      insist { subject["syslog5424_proc"] } == "4123"
+      insist { subject["syslog5424_msgid"] } == nil
+      insist { subject["syslog5424_sd"] } == nil
+      insist { subject["syslog5424_msg"] } == "Additional spaces and missing SD."
+    end
+  end
+  describe "parsing an event with multiple messages (array of strings)", :if => false do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "(?:hello|world) %{NUMBER}" ]
+          named_captures_only => false
+        }
+      }
+    CONFIG
+    sample("message" => [ "hello 12345", "world 23456" ]) do
+      insist { subject["NUMBER"] } == [ "12345", "23456" ]
+    end
+  end
+  describe "coercing matched values" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "%{NUMBER:foo:int} %{NUMBER:bar:float}" ]
+          singles => true
+        }
+      }
+    CONFIG
+    sample "400 454.33" do
+      insist { subject["foo"] } == 400
+      insist { subject["foo"] }.is_a?(Fixnum)
+      insist { subject["bar"] } == 454.33
+      insist { subject["bar"] }.is_a?(Float)
+    end
+  end
+  describe "in-line pattern definitions" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "%{FIZZLE=\\d+}" ]
+          named_captures_only => false
+          singles => true
+        }
+      }
+    CONFIG
+    sample "hello 1234" do
+      insist { subject["FIZZLE"] } == "1234"
+    end
+  end
+  describe "processing selected fields" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "%{WORD:word}" ]
+          match => [ "examplefield", "%{NUMBER:num}" ]
+          break_on_match => false
+          singles => true
+        }
+      }
+    CONFIG
+    sample("message" => "hello world", "examplefield" => "12345") do
+      insist { subject["examplefield"] } == "12345"
+      insist { subject["word"] } == "hello"
+    end
+  end
+  describe "adding fields on match" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "matchme %{NUMBER:fancy}" ]
+          singles => true
+          add_field => [ "new_field", "%{fancy}" ]
+        }
+      }
+    CONFIG
+    sample "matchme 1234" do
+      insist { subject["tags"] }.nil?
+      insist { subject["new_field"] } == "1234"
+    end
+    sample "this will not be matched" do
+      insist { subject["tags"] }.include?("_grokparsefailure")
+      reject { subject }.include?("new_field")
+    end
+  end
+  context "empty fields" do
+    describe "drop by default" do
+      config <<-CONFIG
+        filter {
+          grok {
+            match => [ "message",  "1=%{WORD:foo1} *(2=%{WORD:foo2})?" ]
+          }
+        }
+      CONFIG
+      sample "1=test" do
+        insist { subject["tags"] }.nil?
+        insist { subject }.include?("foo1")
+        # Since 'foo2' was not captured, it must not be present in the event.
+        reject { subject }.include?("foo2")
+      end
+    end
+    describe "keep if keep_empty_captures is true" do
+      config <<-CONFIG
+        filter {
+          grok {
+            match => [ "message",  "1=%{WORD:foo1} *(2=%{WORD:foo2})?" ]
+            keep_empty_captures => true
+          }
+        }
+      CONFIG
+      sample "1=test" do
+        insist { subject["tags"] }.nil?
+        # use .to_hash for this test, for now, because right now
+        # the Event.include? returns false for missing fields as well
+        # as for fields with nil values.
+        insist { subject.to_hash }.include?("foo2")
+        insist { subject.to_hash }.include?("foo2")
+      end
+    end
+  end
+  describe "when named_captures_only == false" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "Hello %{WORD}. %{WORD:foo}" ]
+          named_captures_only => false
+          singles => true
+        }
+      }
+    CONFIG
+    sample "Hello World, yo!" do
+      insist { subject }.include?("WORD")
+      insist { subject["WORD"] } == "World"
+      insist { subject }.include?("foo")
+      insist { subject["foo"] } == "yo"
+    end
+  end
+  describe "using oniguruma named captures (?<name>regex)" do
+    context "plain regexp" do
+      config <<-'CONFIG'
+        filter {
+          grok {
+            singles => true
+            match => [ "message",  "(?<foo>\w+)" ]
+          }
+        }
+      CONFIG
+      sample "hello world" do
+        insist { subject["tags"] }.nil?
+        insist { subject["foo"] } == "hello"
+      end
+    end
+    context "grok patterns" do
+      config <<-'CONFIG'
+        filter {
+          grok {
+            singles => true
+            match => [ "message",  "(?<timestamp>%{DATE_EU} %{TIME})" ]
+          }
+        }
+      CONFIG
+      sample "fancy 12-12-12 12:12:12" do
+        insist { subject["tags"] }.nil?
+        insist { subject["timestamp"] } == "12-12-12 12:12:12"
+      end
+    end
+  end
+  describe "grok on integer types" do
+    config <<-'CONFIG'
+      filter {
+        grok {
+          match => [ "status", "^403$" ]
+          add_tag => "four_oh_three"
+        }
+      }
+    CONFIG
+    sample("status" => 403) do
+      reject { subject["tags"] }.include?("_grokparsefailure")
+      insist { subject["tags"] }.include?("four_oh_three")
+    end
+  end
+  describe "grok on float types" do
+    config <<-'CONFIG'
+      filter {
+        grok {
+          match => [ "version", "^1.0$" ]
+          add_tag => "one_point_oh"
+        }
+      }
+    CONFIG
+    sample("version" => 1.0) do
+      insist { subject["tags"] }.include?("one_point_oh")
+      insist { subject["tags"] }.include?("one_point_oh")
+    end
+  end
+  describe "grok on %{LOGLEVEL}" do
+    config <<-'CONFIG'
+      filter {
+        grok {
+          pattern => "%{LOGLEVEL:level}: error!"
+        }
+      }
+    CONFIG
+    log_level_names = %w(
+      trace Trace TRACE
+      debug Debug DEBUG
+      notice Notice Notice
+      info Info INFO
+      warn warning Warn Warning WARN WARNING
+      err error Err Error ERR ERROR
+      crit critical Crit Critical CRIT CRITICAL
+      fatal Fatal FATAL
+      severe Severe SEVERE
+      emerg emergency Emerg Emergency EMERG EMERGENCY
+    )
+    log_level_names.each do |level_name|
+      sample "#{level_name}: error!" do
+        insist { subject['level'] } == level_name
+      end
+    end
+  end
+  describe "tagging on failure" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "matchme %{NUMBER:fancy}" ]
+          tag_on_failure => false
+        }
+      }
+    CONFIG
+    sample "matchme 1234" do
+      insist { subject["tags"] }.nil?
+    end
+    sample "this will not be matched" do
+      insist { subject["tags"] }.include?("false")
+    end
+  end
+  describe "captures named fields even if the whole text matches" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "%{DATE_EU:stimestamp}" ]
+          singles => true
+        }
+      }
+    CONFIG
+    sample "11/01/01" do
+      insist { subject["stimestamp"] } == "11/01/01"
+    end
+  end
+  describe "allow dashes in capture names" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message",  "%{WORD:foo-bar}" ]
+          singles => true
+        }
+      }
+    CONFIG
+    sample "hello world" do
+      insist { subject["foo-bar"] } == "hello"
+    end
+  end
+  describe "performance test", :if => ENV["SPEEDTEST"] do
+    event_count = 100000
+    min_rate = 4000
+    max_duration = event_count / min_rate
+    input = "Nov 24 01:29:01 -0800"
+    config <<-CONFIG
+      input {
+        generator {
+          count => #{event_count}
+          message => "Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]"
+        }
+      }
+      filter {
+        grok {
+          match => [ "message", "%{SYSLOGLINE}" ]
+          singles => true
+          overwrite => [ "message" ]
+        }
+      }
+      output { null { } }
+    CONFIG
+    2.times do
+      agent do
+        puts "grok parse rate: #{event_count / @duration}"
+        insist { @duration } < max_duration
+      end
+    end
+  end
+  describe "singles with duplicate-named fields" do
+    config <<-CONFIG
+      filter {
+        grok {
+          match => [ "message", "%{INT:foo}|%{WORD:foo}" ]
+          singles => true
+        }
+      }
+    CONFIG
+    sample "hello world" do
+      insist { subject["foo"] }.is_a?(String)
+    end
+    sample "123 world" do
+      insist { subject["foo"] }.is_a?(String)
+    end
+  end
+end