plunk 0.3.11 → 0.3.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b0870feaf4598dab6fc0dd14cfe797021d15e22
-  data.tar.gz: d65d9025b1384cd446da54d75091a8c072eb2986
+  metadata.gz: c74090ae720297508b3052f062ce3376ecde58d3
+  data.tar.gz: 1d61ecb3d0d944391f80ea30be02470fad915c08
 SHA512:
-  metadata.gz: a12882302f751b913ff4bab7157d26603ad8433ac2858a5de85dec4f9afe6d8a56d5308658e013cb1957effa9dee63f0640147b903e3fb5913befb5f42516d94
-  data.tar.gz: a8fe3b9d113537ed09113f3e69570381254e0c7dc3d21f7813576807a7311063eefb6a7adf2e7d5f07307eec968e4e2e045e2c81d794f1bce3beea4e44a9b541
+  metadata.gz: 5ab3dadd247100ca75f8cc39661adc5a80e3f586d1599a3c10f81a964ee04beffa01cfa13a516c707decde2f37bce0259df252f758156264fcd063c22f93118f
+  data.tar.gz: 33b135c700a1a800e0d7b4a7f0a96f67af97cf5345bd4b285d0239ba08771976febd035f6668fb5e2e0f8a24814616afc62511a47865ea26b501972fbadc214f

data/.ruby-version

@@ -1 +1 @@
-2.1.1
+2.1

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    plunk (0.3.8)
+    plunk (0.3.11)
       activesupport (~> 4.0, >= 4.0.0)
       chronic (~> 0.10, >= 0.10.0)
       elasticsearch (~> 1.0, >= 1.0.0)
@@ -11,7 +11,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (4.1.0)
+    activesupport (4.1.4)
       i18n (~> 0.6, >= 0.6.9)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
@@ -20,34 +20,38 @@ GEM
     blankslate (2.1.2.4)
     chronic (0.10.2)
     diff-lcs (1.2.5)
-    elasticsearch (1.0.1)
-      elasticsearch-api (= 1.0.1)
-      elasticsearch-transport (= 1.0.1)
-    elasticsearch-api (1.0.1)
+    elasticsearch (1.0.4)
+      elasticsearch-api (= 1.0.4)
+      elasticsearch-transport (= 1.0.4)
+    elasticsearch-api (1.0.4)
       multi_json
-    elasticsearch-transport (1.0.1)
+    elasticsearch-transport (1.0.4)
       faraday
       multi_json
     faraday (0.9.0)
       multipart-post (>= 1.2, < 3)
-    i18n (0.6.9)
+    i18n (0.6.11)
     json (1.8.1)
-    minitest (5.3.2)
-    multi_json (1.9.2)
+    minitest (5.4.0)
+    multi_json (1.10.1)
     multipart-post (2.0.0)
-    parslet (1.5.0)
+    parslet (1.6.1)
       blankslate (~> 2.0)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.8)
-    rspec-expectations (2.14.5)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.6)
-    thread_safe (0.3.3)
+    rspec (3.1.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+    rspec-core (3.1.3)
+      rspec-support (~> 3.1.0)
+    rspec-expectations (3.1.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.1.0)
+    rspec-mocks (3.1.0)
+      rspec-support (~> 3.1.0)
+    rspec-support (3.1.0)
+    thread_safe (0.3.4)
     timecop (0.7.1)
-    tzinfo (1.1.0)
+    tzinfo (1.2.1)
       thread_safe (~> 0.1)
 
 PLATFORMS
@@ -55,5 +59,5 @@ PLATFORMS
 
 DEPENDENCIES
   plunk!
-  rspec (~> 2.0, >= 2.14.1)
+  rspec (~> 3.1, >= 3.1.0)
   timecop (~> 0.7, >= 0.7.1)

data/README.md

@@ -1,116 +1 @@
-Plunk
-=====
-
-Human-friendly query language for Elasticsearch
-
-## About
-
-Plunk is a ruby gem to take a human-friendly, one-line search command and
-translate it to full-fledged JSON to send to Elasticsearch. Currently it only
-supports a few commands, but the goal is to support a large subset of what
-Elasticsearch offers.
-
-## Installation
-```
-gem install plunk
-```
-
-Plunk uses [Parslet](https://github.com/kschiess/parslet) to first parse your
-query, and then [Elasticsearch's official ruby library](https://github.com/elasticsearch/elasticsearch-ruby)
-to send it to Elasticsearch.
-
-## Usage
-```ruby
-require 'plunk'
-
-# 
-# Configuration is required before using Plunk
-# 
-# Elasticsearch_options accepts the same params as Elasticsearch::Client
-# from the elasticsearch-ruby library
-Plunk.configure do |config|
-  config.elasticsearch_options = { host: 'localhost' }
-end
-
-# Restrict timeframe to last 1 week and match documents with _type=syslog
-# s = seconds
-# m = minutes
-# h = hours
-# d = days
-# w = weeks
-# All times in Plunk are converted to UTC
-Plunk.search 'last 1w AND _type = syslog'
-
-# The ```window``` command can also be used to filter by time
-Plunk.search 'window -2d to -1d'
-
-# Plunk tries to parse the date with Chronic, so this works too. Note the
-# double quotes around the time string. This is needed if it contains a space.
-Plunk.search 'window "last monday" to "last thursday"'
-
-# Of course, absolute dates are supported as well. Date format is American style
-# e.g. MM/DD/YY
-Plunk.search 'window 3/14/12 to 3/15/12'
-
-# Use double quotes to wrap space-containing strings
-Plunk.search 'http.header = "UserAgent: Mozilla/5.0"'
-
-# Commands are joined using parenthesized booleans
-Plunk.search '(last 1h AND severity = 5) OR (last 1w AND severity = 3)'
-
-# "AND" is aliased to "and" and "&". Similarly, "OR" is aliased to "or" and "|".
-# The following queries are identical to one above
-Plunk.search '(last 1h and severity = 5) or (last 1w and severity = 3)'
-Plunk.search '(last 1h & severity = 5) | (last 1w & severity = 3)'
-
-# Use the NOT keyword to negate the following command or boolean chain
-Plunk.search 'NOT message = Error'
-
-# Like AND and OR, "NOT" is aliased to "not" and "~"
-Plunk.search 'not message = Error'
-Plunk.search '~ message = Error'
-
-# Regexp is supported as well
-Plunk.search 'http.headers = /.*User-Agent: Mozilla.*/ OR http.headers = /.*application\/json.*/'
-```
-
-
-## Translation
-
-Under the hood, Plunk takes your query and translates it to
-Elasticsearch-compatible JSON. For example,
-
-```last 24h & _type=syslog```
-
-gets translated to:
-
-```json
-{
-  "query": {
-    "filtered": {
-      "filter": {
-        "and": [
-          {
-            "range": {
-              "timestamp": {
-                "gte": "2013-08-23T05:43:13.770Z",
-                "lte": "2013-08-24T05:43:13.770Z"
-              }
-            }
-          },
-          {
-            "query": {
-              "query_string": {
-                "query": "_type:syslog"
-              }
-            }
-          }
-        ]
-      }
-    }
-  }
-}
-```
-
-In general, commands are combined into a single filter using Elasticsearch's,
-```and```, ```or```, and ```not``` filters.
+This gem has been renamed to <a href="https://github.com/elbii/peruse">Peruse</a>.

data/bin/plunk

@@ -3,6 +3,8 @@ $LOAD_PATH << './lib'
 require 'plunk'
 require 'optparse'
 
+warn "[DEPRECATION] This gem has been renamed to peruse and will no longer be supported. Please switch to peruse as soon as possible."
+
 options = {}
 OptionParser.new do |opts|
   opts.banner = "Usage: plunk [options]"
@@ -13,29 +15,62 @@ OptionParser.new do |opts|
     "-h",
     "--host HOST",
     "comma-separated list of Elasticsearch hosts to use"
-  ) do |h|
-
-    options[:host] = h
+  ) do |option|
+    options[:host] = option
   end
 
   opts.on(
     "-p",
     "--parse-only",
     "parse but don't execute query, returning ES-compatible JSON"
-  ) do |p|
+  ) do |option|
+    options[:parse_only] = option
+  end
 
-    options[:parse_only] = p
+  opts.on(
+    "-s",
+    "--size SIZE",
+    "max number of hits to return"
+  ) do |option|
+    options[:size] = option
+  end
+  
+  opts.on(
+    "-r",
+    "--randomize-hosts",
+    "randomize hosts used for each search"
+  ) do |option|
+    options[:randomize_hosts] = option
   end
 
+  opts.on(
+    "-t",
+    "--timestamp-field FIELD",
+    "timestamp field to use for timerange searches"
+  ) do |option|
+    options[:timestamp_field] = option
+  end
+
+  opts.on(
+    "-d",
+    "--debug",
+    "turn on debugging output"
+  ) do |option|
+    options[:debug] = option
+  end
 
 end.parse!
 
 Plunk.configure do |c|
   c.parse_only = options[:parse_only]
+  c.max_number_of_hits = options[:size].to_i if options[:size]
+  c.timestamp_field =
+    options[:timestamp_field].strip if options[:timstamp_field]
+  c.logger = Logger.new(STDOUT) if options[:debug]
 
   c.elasticsearch_client = Elasticsearch::Client.new(
-    host: options[:host].split(','),
-    randomize_hosts: true
+    host: options[:host].split(',').collect! { |h| h.strip },
+    randomize_hosts: options[:randomize_hosts]
   ) unless c.parse_only
 end
 

data/lib/plunk/version.rb

@@ -1,3 +1,3 @@
 module Plunk
-  VERSION = "0.3.11"
+  VERSION = "0.3.12"
 end

data/plunk.gemspec

@@ -4,19 +4,24 @@ require File.expand_path('../lib/plunk/version', __FILE__)
 Gem::Specification.new do |s|
   s.name                    = "plunk"
   s.version                 = Plunk::VERSION
+  s.required_ruby_version   = ">= 1.9.3"
   s.add_runtime_dependency  "json", "~> 1.8", ">= 1.8.0"
   s.add_runtime_dependency  "parslet", "~> 1.5", ">= 1.5.0"
   s.add_runtime_dependency  "elasticsearch", "~> 1.0", ">= 1.0.0"
   s.add_runtime_dependency  "activesupport", "~> 4.0", ">= 4.0.0"
   s.add_runtime_dependency  "chronic", "~> 0.10", ">= 0.10.0"
-  s.add_development_dependency "rspec", "~> 2.0", ">= 2.14.1"
+  s.add_development_dependency "rspec", "~> 3.1", ">= 3.1.0"
   s.add_development_dependency "timecop", "~> 0.7", ">= 0.7.1"
   s.executables             << "plunk"
   s.summary                 = "Elasticsearch query language"
   s.description             = "Human-friendly query language for Elasticsearch"
-  s.authors                 = ["Ram Mehta", "Jamil Bou Kheir", "Roman Heinrich"]
-  s.email                   = ["ram.mehta@gmail.com", "jamil@elbii.com", "roman.heinrich@gmail.com"]
+  s.authors                 = ["Ram Mehta", "Jamil Bou Kheir"]
+  s.email                   = ["ram.mehta@gmail.com", "jamil@elbii.com"]
   s.files                   = `git ls-files`.split("\n")
   s.homepage                = "https://github.com/elbii/plunk"
   s.license                 = "MIT"
+  s.post_install_message    = <<-MESSAGE
+  !   The 'plunk' gem has been deprecated and replaced by 'peruse'. Please switch to the new gem as soon as possible.
+  !   See more at https://github.com/elbii/plunk
+  MESSAGE
 end

data/spec/basic_spec.rb

@@ -19,21 +19,21 @@ describe 'basic searches' do
 
   it 'should parse bar' do
     result = Plunk.search 'bar'
-    result.should eq(basic_builder('bar'))
+    expect(result).to eq(basic_builder('bar'))
   end
 
   it 'should parse bar ' do
     result = Plunk.search 'bar '
-    result.should eq(basic_builder('bar'))
+    expect(result).to eq(basic_builder('bar'))
   end
 
   it 'should parse (bar) ' do
     result = Plunk.search '(bar) '
-    result.should eq(basic_builder('bar'))
+    expect(result).to eq(basic_builder('bar'))
   end
 
   it 'should parse  bar ' do
     result = Plunk.search ' bar '
-    result.should eq(basic_builder('bar'))
+    expect(result).to eq(basic_builder('bar'))
   end
 end

data/spec/binstub_spec.rb

@@ -0,0 +1,33 @@
+require 'open3'
+
+describe 'binstub' do
+  it 'should execute a valid query from stdin' do
+    result = ""
+
+    Open3.popen3(
+      "bin/plunk",
+      "-h localhost,127.0.0.1",
+      "-s 1",
+      "-r",
+      "-d",
+      "-t timestamp"
+    ) do |stdin, stdout, stderr|
+      stdin.puts "last 1w"
+      stdin.close
+      result = stdout.read.chomp
+    end
+      
+    expect(result).to be_present
+  end
+
+  it 'should not allow invalid options' do
+    exit_status = -1 
+
+    Open3.popen3("bin/plunk", "-z") do |stdin, stdout, stderr, thread|
+      exit_status = thread.value.exitstatus
+    end
+
+
+    expect(exit_status).to eq 1
+  end
+end

data/spec/nested_search_spec.rb

@@ -13,17 +13,17 @@ describe 'nested searches' do
       arr: [ 0, 1, 2, 3 ],
       :timestamp => @time.utc.to_datetime.iso8601(3)
     }.to_json
-    Plunk::ResultSet.any_instance.stub(:eval).and_return(fake_results)
+    allow_any_instance_of(Plunk::ResultSet).to receive(:eval).and_return(fake_results)
   end
 
-  pending 'should transform' do
+  skip 'should transform' do
     results = @transformer.apply @parser.parse('foo=`bar=baz|baz,fass,fdsd`')
     expect(results.query).to eq({query:{filtered:{query:{query_string:{
       query: 'foo:(5)'
     }}}}})
   end
 
-  pending 'should parse a nested basic search' do
+  skip 'should parse a nested basic search' do
     @parsed = @parser.parse 'tshark.len = ` 226 | tshark.frame.time_epoch,tshark.ip.src`'
     expect(@parsed[:field].to_s).to eq 'tshark.len'
     expect(@parsed[:op].to_s).to eq '='
@@ -31,7 +31,7 @@ describe 'nested searches' do
     expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
   end
 
-  pending 'should parse a nested regexp' do
+  skip 'should parse a nested regexp' do
     @parsed = @parser.parse 'tshark.len = ` cif.malicious_ips=/foo/ | tshark.frame.time_epoch,tshark.ip.src`'
     expect(@parsed[:field].to_s).to eq 'tshark.len'
     expect(@parsed[:op].to_s).to eq '='
@@ -41,7 +41,7 @@ describe 'nested searches' do
     expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
   end
 
-  pending 'should parse a nested basic boolean' do
+  skip 'should parse a nested basic boolean' do
     @parsed = @parser.parse 'tshark.len = `(foo OR bar) | tshark.frame.time_epoch,tshark.ip.src`'
     expect(@parsed[:field].to_s).to eq 'tshark.len'
     expect(@parsed[:op].to_s).to eq '='
@@ -49,7 +49,7 @@ describe 'nested searches' do
     expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
   end
 
-  pending 'should parse a nested field / value boolean' do
+  skip 'should parse a nested field / value boolean' do
     @parsed = @parser.parse 'tshark.len = `baz=(foo OR bar AND (bar OR fez)) | tshark.frame.time_epoch,tshark.ip.src`'
     expect(@parsed[:field].to_s).to eq 'tshark.len'
     expect(@parsed[:op].to_s).to eq '='
@@ -59,7 +59,7 @@ describe 'nested searches' do
     expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
   end
 
-  pending 'should parse a nested last standalone timerange' do
+  skip 'should parse a nested last standalone timerange' do
     @parsed = @parser.parse 'tshark.len = `last 24h | tshark.frame.time_epoch,tshark.ip.src`'
     expect(@parsed[:field].to_s).to eq 'tshark.len'
     expect(@parsed[:op].to_s).to eq '='
@@ -68,7 +68,7 @@ describe 'nested searches' do
     expect(@parsed[:value][:extractors].to_s).to eq 'tshark.frame.time_epoch,tshark.ip.src'
   end
 
-  pending 'should parse a nested last timerange and field / value pair' do
+  skip 'should parse a nested last timerange and field / value pair' do
     @parsed = @parser.parse 'tshark.len = `last 24h foo=bar | tshark.frame.time_epoch,tshark.ip.src`'
     expect(@parsed[:field].to_s).to eq 'tshark.len'
     expect(@parsed[:op].to_s).to eq '='

data/spec/shared/plunk_stubs.rb

@@ -1,5 +1,5 @@
 shared_context "plunk stubs" do
   before :each do
-    Plunk.stub(:timestamp_field).and_return(:@timestamp)
+    allow(Plunk).to receive(:timestamp_field).and_return(:@timestamp)
   end
 end

metadata

@@ -1,16 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: plunk
 version: !ruby/object:Gem::Version
-  version: 0.3.11
+  version: 0.3.12
 platform: ruby
 authors:
 - Ram Mehta
 - Jamil Bou Kheir
-- Roman Heinrich
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-05-13 00:00:00.000000000 Z
+date: 2014-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -118,20 +117,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.14.1
+        version: 3.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.14.1
+        version: 3.1.0
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -156,7 +155,6 @@ description: Human-friendly query language for Elasticsearch
 email:
 - ram.mehta@gmail.com
 - jamil@elbii.com
-- roman.heinrich@gmail.com
 executables:
 - plunk
 extensions: []
@@ -182,6 +180,7 @@ files:
 - lib/plunk/version.rb
 - plunk.gemspec
 - spec/basic_spec.rb
+- spec/binstub_spec.rb
 - spec/boolean_spec.rb
 - spec/chained_search_spec.rb
 - spec/field_value_spec.rb
@@ -199,7 +198,9 @@ homepage: https://github.com/elbii/plunk
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message: |2
+    !   The 'plunk' gem has been deprecated and replaced by 'peruse'. Please switch to the new gem as soon as possible.
+    !   See more at https://github.com/elbii/plunk
 rdoc_options: []
 require_paths:
 - lib
@@ -207,7 +208,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -215,7 +216,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.2
 signing_key: 
 specification_version: 4
 summary: Elasticsearch query language