Class: LogStash::Filters::Elasticsearch::EsqlExecutor
- Inherits:
-
Object
- Object
- LogStash::Filters::Elasticsearch::EsqlExecutor
- Defined in:
- lib/logstash/filters/elasticsearch/esql_executor.rb
Constant Summary collapse
- ESQL_PARSERS_BY_TYPE =
Hash.new(lambda { |x| x }).merge( 'date' => ->(value) { value && LogStash::Timestamp.new(value) }, )
Instance Method Summary collapse
-
#initialize(plugin, logger) ⇒ EsqlExecutor
constructor
A new instance of EsqlExecutor.
- #process(client, event) ⇒ Object
Constructor Details
#initialize(plugin, logger) ⇒ EsqlExecutor
Returns a new instance of EsqlExecutor.
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'lib/logstash/filters/elasticsearch/esql_executor.rb', line 12 def initialize(plugin, logger) @logger = logger @event_decorator = plugin.method(:decorate) @query = plugin.params["query"] query_params = plugin.query_params || {} reference_valued_params, static_valued_params = query_params.partition { |_, v| v.kind_of?(String) && v.match?(/^\[.*\]$/) } @referenced_params = reference_valued_params&.to_h # keep static params as an array of hashes to attach to the ES|QL api param easily @static_params = static_valued_params.map { |k, v| { k => v } } @tag_on_failure = plugin.params["tag_on_failure"] @logger.debug("ES|QL query executor initialized with ", query: @query, query_params: query_params) # if the target is specified, all result entries will be copied to the target field # otherwise, the first value of the result will be copied to the event @target_field = plugin.params["target"] @logger.warn("Only first query result will be copied to the event. Please specify `target` in plugin config to include all") if @target_field.nil? end |
Instance Method Details
#process(client, event) ⇒ Object
32 33 34 35 36 37 38 39 40 41 42 |
# File 'lib/logstash/filters/elasticsearch/esql_executor.rb', line 32 def process(client, event) resolved_params = @referenced_params&.any? ? resolve_parameters(event) : [] resolved_params.concat(@static_params) if @static_params&.any? response = execute_query(client, resolved_params) inform_warning(response) process_response(event, response) @event_decorator.call(event) rescue => e @logger.error("Failed to process ES|QL filter", exception: e) @tag_on_failure.each { |tag| event.tag(tag) } end |