Class: LogStash::Filters::KV
- Inherits:
-
Base
- Object
- Base
- LogStash::Filters::KV
- Defined in:
- lib/logstash/filters/kv.rb
Overview
This filter helps automatically parse messages (or specific event fields) which are of the ‘foo=bar` variety.
For example, if you have a log message which contains ‘ip=1.2.3.4 error=REFUSED`, you can parse those automatically by configuring:
- source,ruby
-
filter {
kv { }}
The above will result in a message of ‘ip=1.2.3.4 error=REFUSED` having the fields:
-
‘ip: 1.2.3.4`
-
‘error: REFUSED`
This is great for postfix, iptables, and other types of logs that tend towards ‘key=value` syntax.
You can configure any arbitrary strings to split your data on, in case your data is not structured using ‘=` signs and whitespace. For example, this filter can also be used to parse query parameters like `foo=bar&baz=fizz` by setting the `field_split` parameter to `&`.
Instance Method Summary collapse
-
#filter(event) ⇒ Object
def register.
- #register ⇒ Object
Instance Method Details
#filter(event) ⇒ Object
def register
220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 |
# File 'lib/logstash/filters/kv.rb', line 220 def filter(event) return unless filter?(event) kv = Hash.new value = event[@source] case value when nil; # Nothing to do when String; kv = parse(value, event, kv) when Array; value.each { |v| kv = parse(v, event, kv) } else @logger.warn("kv filter has no support for this type of data", :type => value.class, :value => value) end # case value # Add default key-values for missing keys kv = @default_keys.merge(kv) # If we have any keys, create/append the hash if kv.length > 0 if @target.nil? # Default is to write to the root of the event. dest = event.to_hash else if !event[@target].is_a?(Hash) @logger.debug("Overwriting existing target field", :target => @target) dest = event[@target] = {} else dest = event[@target] end end dest.merge!(kv) filter_matched(event) end end |
#register ⇒ Object
210 211 212 213 214 215 216 217 218 |
# File 'lib/logstash/filters/kv.rb', line 210 def register @trim_re = Regexp.new("[#{@trim}]") if !@trim.nil? @trimkey_re = Regexp.new("[#{@trimkey}]") if !@trimkey.nil? valueRxString = "(?:\"([^\"]+)\"|'([^']+)'" valueRxString += "|\\(([^\\)]+)\\)|\\[([^\\]]+)\\]" if @include_brackets valueRxString += "|((?:\\\\ |[^"+@field_split+"])+))" @scan_re = Regexp.new("((?:\\\\ |[^"+@field_split+@value_split+"])+)\\s*["+@value_split+"]\\s*"+valueRxString) end |