Sha256: 1bcb1f6956b0087971526e0cba7df6373af59a2105143887b176bd0a8f568f48
Contents?: true
Size: 1.98 KB
Versions: 9
Compression:
Stored size: 1.98 KB
Contents
require "logstash/filters/base"
require "logstash/namespace"
gem "jls-grok", ">=0.2.3071"
require "grok" # rubygem 'jls-grok'
class LogStash::Filters::Grokdiscovery < LogStash::Filters::Base
public
def initialize(config = {})
super
@discover_fields = {}
end # def initialize
public
def register
# TODO(sissel): Make patterns files come from the config
@config.each do |type, typeconfig|
@logger.debug("Registering type with grok: #{type}")
@grok = Grok.new
Dir.glob("patterns/*").each do |path|
@grok.add_patterns_from_file(path)
end
@discover_fields[type] = typeconfig
@logger.debug(["Enabling discovery", { :type => type, :fields => typeconfig }])
@logger.warn(@discover_fields)
end # @config.each
end # def register
public
def filter(event)
# parse it with grok
message = event.message
match = false
if event.type and @discover_fields.include?(event.type)
discover = @discover_fields[event.type] & event.fields.keys
discover.each do |field|
value = event.fields[field]
value = [value] if value.is_a?(String)
value.each do |v|
pattern = @grok.discover(v)
@logger.warn("Trying #{v} => #{pattern}")
@grok.compile(pattern)
match = @grok.match(v)
if match
@logger.warn(["Match", match.captures])
event.fields.merge!(match.captures) do |key, oldval, newval|
@logger.warn(["Merging #{key}", oldval, newval])
oldval + newval # should both be arrays...
end
else
@logger.warn(["Discovery produced something not matchable?", { :input => v }])
end
end # value.each
end # discover.each
else
@logger.info("Unknown type for #{event.source} (type: #{event.type})")
@logger.debug(event.to_hash)
end
@logger.debug(["Event now: ", event.to_hash])
end # def filter
end # class LogStash::Filters::Grokdiscovery
Version data entries
9 entries across 9 versions & 1 rubygems