logstash-patterns-core 4.1.2 → 4.3.2

data/spec/patterns/rails3_spec.rb

@@ -2,55 +2,113 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "RAILS" do
-  let(:rails3_pattern)  { "RAILS3" }
+describe_pattern "RAILS3", ['legacy', 'ecs-v1'] do
 
-  context "Parsing RAILS3 single-line log from raw log file" do
+  context "single-line log" do
 
-    let(:value) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' } 
-
-    subject     { grok_match(rails3_pattern, value) }
+    let(:message) { 'Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2015-08-05 11:37:01 +0200' }
 
     # Started
-    it { should include("verb" => "POST" ) }
-    it { should include("request" => "/api/v3/internal/allowed" ) }
+    it do
+      if ecs_compatibility?
+        should include("http" => hash_including("request" => { "method" => "POST" }))
+      else
+        should include("verb" => "POST")
+      end
+    end
+
+    it do
+      if ecs_compatibility?
+      else
+        should include("request" => "/api/v3/internal/allowed")
+      end
+    end
     # for
-    it { should include("clientip" => "127.0.0.1" ) }
+    it do
+      if ecs_compatibility?
+        should include("source" => { "address" => "127.0.0.1" })
+      else
+        should include("clientip" => "127.0.0.1")
+      end
+    end
     # at
     it { should include("timestamp" => "2015-08-05 11:37:01 +0200" ) }
   end
 
-  context "Parsing RAILS3 multi-line log from raw log file" do
+  context "multi-line log" do
 
-    let(:value) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
+    let(:message) { 'Started GET "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" for 127.0.0.1 at 2015-08-05 07:40:22 +0200
 Processing by Projects::NotesController#index as JSON
   Parameters: {"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"}
-Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' } 
-    subject     { grok_match(rails3_pattern, value) }
+Completed 200 OK in 640ms (Views: 1.7ms | ActiveRecord: 91.0ms)' }
 
     # started
-    it { should include("verb" => "GET" ) }
-    it { should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" ) }
+    it do
+      if ecs_compatibility?
+        should include("http" => hash_including("request" => { "method" => "GET" }))
+      else
+        should include("verb" => "GET")
+      end
+    end
+
+    it do
+      if ecs_compatibility?
+        should include("url" => {"original"=>"/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732"})
+      else
+        should include("request" => "/puppet/postfix/notes?target_id=162&target_type=issue&last_fetched_at=1438695732" )
+      end
+    end
     # for
-    it { should include("clientip" => "127.0.0.1" ) }
+    it do
+      if ecs_compatibility?
+        should include("source" => { "address" => "127.0.0.1" })
+      else
+        should include("clientip" => "127.0.0.1")
+      end
+    end
     # at
-    it { should include("timestamp" => "2015-08-05 07:40:22 +0200" ) }
+    it { should include("timestamp" => "2015-08-05 07:40:22 +0200") }
     # Processing by
-    it { should include("controller" => "Projects::NotesController" ) }
-    it { should include("action" => "index" ) }
+    it do
+      if ecs_compatibility?
+        should include("rails" => hash_including("controller" => { "class"=>"Projects::NotesController", "action"=>"index" }))
+      else
+        should include("controller" => "Projects::NotesController")
+        should include("action" => "index")
+      end
+    end
     # as
-    it { should include("format" => "JSON" ) }
+    it do
+      if ecs_compatibility?
+        should include("rails" => hash_including("request" => hash_including("format" => 'JSON')))
+      else
+        should include("format" => "JSON" )
+      end
+    end
     # Parameters
-    it { should include("params" => '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"' ) }
+    it do
+      params = '"target_id"=>"162", "target_type"=>"issue", "last_fetched_at"=>"1438695732", "namespace_id"=>"puppet", "project_id"=>"postfix"'
+      if ecs_compatibility?
+        should include("rails" => hash_including("request" => hash_including("params" => params)))
+      else
+        should include("params" => params)
+      end
+    end
     # Completed
-    it { should include("response" => "200" ) }
+    it do
+      if ecs_compatibility?
+        should include("http" => hash_including("response" => { "status_code" => 200 }))
+      else
+        should include("response" => "200" )
+      end
+    end
     # in
-    it { should include("totalms" =>  "640" ) }
-    # (Views: 
-    it { should include("viewms" =>  "1.7" ) }
-    # | ActiveRecord:
-    it { should include("activerecordms" =>  "91.0" ) }
-
+    it do
+      if ecs_compatibility?
+        should include("rails" => hash_including("request" => hash_including("duration" => { "total" => 640.0, "view" => 1.7, "active_record" => 91.0 })))
+      else
+        should include("totalms" => "640", "viewms" => "1.7", "activerecordms" => "91.0")
+      end
+    end
   end
-
 end

data/spec/patterns/redis_spec.rb

@@ -2,170 +2,246 @@
 require "spec_helper"
 require "logstash/patterns/core"
 
-describe "REDISTIMESTAMP" do
+describe_pattern 'REDISTIMESTAMP', [ 'legacy', 'ecs-v1' ] do
 
-  let(:value) { '14 Nov 07:01:22.119'}
-  let(:pattern) { "REDISTIMESTAMP" }
+  let(:message) { '14 Nov 07:01:22.119'}
 
   it "a pattern pass the grok expression" do
-    expect(grok_match(pattern, value)).to pass
+    expect(grok_match(pattern, message)).to pass
   end
 
 end
 
-describe "REDISLOG" do
+describe_pattern 'REDISLOG', [ 'legacy', 'ecs-v1' ] do
 
-  let(:value)   { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
-  let(:pattern) { "REDISLOG" }
-  let(:grok)    { grok_match(pattern, value) }
+  let(:message) { "[4018] 14 Nov 07:01:22.119 * Background saving terminated with success" }
 
   it "a pattern pass the grok expression" do
     expect(grok).to pass
   end
 
   it "generates the pid field" do
-    expect(grok).to include("pid" => "4018")
+    if ecs_compatibility?
+      expect(grok).to include("process" => { 'pid' => 4018 })
+    else
+      expect(grok).to include("pid" => "4018")
+    end
   end
 
 end
 
+describe_pattern 'REDISMONLOG', [ 'legacy', 'ecs-v1' ] do
+
+  context "simple command" do
+
+    let(:message) { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
+
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1470637867.953466")
+    end
+
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
+      else
+        expect(grok).to include("database" => "0")
+      end
+    end
+
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
+      else
+        expect(grok).to include("client" => "195.168.1.1")
+      end
+    end
+
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 52500))
+      else
+        expect(grok).to include("port" => "52500")
+      end
+    end
+
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => { 'name' => 'info' }))
+      else
+        expect(grok).to include("command" => "info")
+      end
+    end
+
+  end
+
+  context "one param command" do
+
+    let(:message) { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
+
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1339518083.107412")
+    end
+
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => { 'id' => '0' }))
+      else
+        expect(grok).to include("database" => "0")
+      end
+    end
+
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
+      else
+        expect(grok).to include("client" => "127.0.0.1")
+      end
+    end
+
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 60866))
+      else
+        expect(grok).to include("port" => "60866")
+      end
+    end
+
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'keys')))
+      else
+        expect(grok).to include("command" => "keys")
+      end
+    end
+
+    it "generates the params field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => '"*"')))
+      else
+        expect(grok).to include("params" => "\"*\"")
+      end
+    end
 
-describe "REDISMONLOG - SIMPLE COMMAND" do
-
-  let(:value)   { "1470637867.953466 [0 195.168.1.1:52500] \"info\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1470637867.953466")
-  end
-
-  it "generates the database field" do
-    expect(grok).to include("database" => "0")
-  end
-
-  it "generates the client field" do
-    expect(grok).to include("client" => "195.168.1.1")
-  end
-
-  it "generates the port field" do
-    expect(grok).to include("port" => "52500")
-  end
-
-  it "generates the command field" do
-    expect(grok).to include("command" => "info")
-  end
-
-end
-
-describe "REDISMONLOG - ONE PARAM COMMAND" do
-
-  let(:value)   { "1339518083.107412 [0 127.0.0.1:60866] \"keys\" \"*\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1339518083.107412")
-  end
-
-  it "generates the database field" do
-    expect(grok).to include("database" => "0")
-  end
-
-  it "generates the client field" do
-    expect(grok).to include("client" => "127.0.0.1")
-  end
-
-  it "generates the port field" do
-    expect(grok).to include("port" => "60866")
-  end
-
-  it "generates the command field" do
-    expect(grok).to include("command" => "keys")
-  end
-
-  it "generates the params field" do
-    expect(grok).to include("params" => "\"*\"")
   end
 
 end
 
-describe "REDISMONLOG - TWO PARAM COMMAND" do
+describe_pattern "REDISMONLOG", [ 'legacy', 'ecs-v1' ] do
+
+  context 'two param command' do
+
+    let(:message) { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
+
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1470637925.186681")
+    end
+
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '0')))
+      else
+        expect(grok).to include("database" => "0")
+      end
+    end
+
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '127.0.0.1'))
+      else
+        expect(grok).to include("client" => "127.0.0.1")
+      end
+    end
+
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 39404))
+      else
+        expect(grok).to include("port" => "39404")
+      end
+    end
+
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'rpush')))
+      else
+        expect(grok).to include("command" => "rpush")
+      end
+    end
+
+    it "generates the params field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")))
+      else
+        expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
+      end
+    end
+
+  end
+
+  context "variadic command" do
+
+    let(:message) { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
+
+    it "a pattern pass the grok expression" do
+      expect(grok).to pass
+    end
+
+    it "generates the timestamp field" do
+      expect(grok).to include("timestamp" => "1470637875.777457")
+    end
+
+    it "generates the database field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('database' => hash_including('id' => '15')))
+      else
+        expect(grok).to include("database" => "15")
+      end
+    end
+
+    it "generates the client field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('ip' => '195.168.1.1'))
+      else
+        expect(grok).to include("client" => "195.168.1.1")
+      end
+    end
+
+    it "generates the port field" do
+      if ecs_compatibility?
+        expect(grok).to include("client" => hash_including('port' => 52500))
+      else
+        expect(grok).to include("port" => "52500")
+      end
+    end
+
+    it "generates the command field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('name' => 'intentionally')))
+      else
+        expect(grok).to include("command" => "intentionally")
+      end
+    end
+
+    it "generates the params field" do
+      if ecs_compatibility?
+        expect(grok).to include("redis" => hash_including('command' => hash_including('args' => "\"broken\" \"variadic\" \"log\" \"entry\"")))
+      else
+        expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
+      end
+    end
 
-  let(:value)   { "1470637925.186681 [0 127.0.0.1:39404] \"rpush\" \"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1470637925.186681")
-  end
-
-  it "generates the database field" do
-    expect(grok).to include("database" => "0")
-  end
-
-  it "generates the client field" do
-    expect(grok).to include("client" => "127.0.0.1")
-  end
-
-  it "generates the port field" do
-    expect(grok).to include("port" => "39404")
-  end
-
-  it "generates the command field" do
-    expect(grok).to include("command" => "rpush")
-  end
-
-  it "generates the params field" do
-    expect(grok).to include("params" => "\"my:special:key\" \"{\\\"data\\\":\"cdr\\\",\\\"payload\\\":\\\"json\\\"}\"")
   end
 
 end
-
-describe "REDISMONLOG - VARIADIC COMMAND" do
-
-  let(:value)   { "1470637875.777457 [15 195.168.1.1:52500] \"intentionally\" \"broken\" \"variadic\" \"log\" \"entry\"" }
-  let(:pattern) { "REDISMONLOG" }
-  let(:grok)    { grok_match(pattern, value) }
-
-  it "a pattern pass the grok expression" do
-    expect(grok).to pass
-  end
-
-  it "generates the timestamp field" do
-    expect(grok).to include("timestamp" => "1470637875.777457")
-  end
-
-  it "generates the database field" do
-    expect(grok).to include("database" => "15")
-  end
-
-  it "generates the client field" do
-    expect(grok).to include("client" => "195.168.1.1")
-  end
-
-  it "generates the port field" do
-    expect(grok).to include("port" => "52500")
-  end
-
-  it "generates the command field" do
-    expect(grok).to include("command" => "intentionally")
-  end
-
-  it "generates the params field" do
-    expect(grok).to include("params" => "\"broken\" \"variadic\" \"log\" \"entry\"")
-  end
-
-end