Sha256: 4fab2f41b177aede94cc97e5b83be9e8712acfa16ed05760c6b313714915972d
Contents?: true
Size: 1.9 KB
Versions: 7
Compression:
Stored size: 1.9 KB
Contents
# {
# "scan": {
# "field": "",
# "pattern": "",
# "target": ""
# }
# }
module Anschel
class Filter
def scan conf, stats, log
field = conf.delete :field
pattern = conf.delete :pattern
target = conf.delete :target
error_tag = conf.has_key?(:error_tag) ? conf[:error_tag] : 'scan-error'
raise 'Missing required "field" for "scan" filter' if field.nil?
raise 'Missing required "pattern" for "scan" filter' if pattern.nil?
raise 'Missing required "target" for "convert" filter' if target.nil?
field = field.to_sym
target = target.to_sym
match = Regexp.new pattern
stats.create 'filter-scan'
stats.create 'filter-scan-skipped'
stats.create 'filter-scan-nomatch'
stats.create 'filter-scan-error'
log.trace event: 'filter-compiled', kind: 'scan', \
field: field, pattern: pattern, match: match, target: target
lambda do |event|
unless event[field]
stats.inc 'filter-scan-skipped'
return event
end
results = event[field].scan(match).flatten.uniq.map do |s|
s.reverse.reverse # N.B. There seems to be some issue with the "scan"
# function in JRuby wherein the matches are
# shared across threads or somehow mangled.
# The reverse.reverse here ensures that we
# create a new object with the original
# contents still intact. If you have a
# better solution, please contact me!
end
if results.empty?
stats.inc 'filter-scan-nomatch'
event
else
event[target] ||= []
event[target] += results
stats.inc 'filter-scan'
filtered event, conf
end
end
end
end
end
Version data entries
7 entries across 7 versions & 1 rubygems