Project

logstash-filter-dateparts

0.0
Bugfix fork oflogstash-filter-geoip
No commit activity in last 3 years
No release in over 3 years
logstash-filter-datepartsmikebski/logstash-datepart-pluginHomepageDocumentationSource CodeBug TrackerWiki
This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
45,592
Stars
2
Forks
1
Watchers
2
 Releases
Current version
2.1.1
Total releases
9
First release
2015-11-30
Latest release
2016-12-17
 Issues
Open Issues
0
Closed Issues
4
Total Issues
4
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
2
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
Apache License (2.0)
Average date of last 50 commits
2016-11-10
Reverse Dependencies
0

 Dependencies

Development

logstash-devutils
= 1.1.0

Runtime

logstash-core-plugin-api
<= 2.99, >= 1.60
 Project Readme

Logstash Plugin

This is a plugin for Logstash.

The source for this plugin can be found here on github

Author: Mike Baranski (mike.baranski@gmail.com). Contributions are welcome.

Gem Version Build Status Test Coverage Code Climate Issue Count

License

Copyright (c) 2014–2017 Mike Baranski http://www.mikeski.net

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

This plugin is useful if you want to easily query Logstash data on day of week, hour of day, or other parts of a date. See the usage below for details on the output of the plugin. The date parts that can be generated are:

  • day
  • wday
  • mday
  • yday
  • month
  • year
  • hour
  • min
  • sec

Documentation

Installation

To manually install the plugin, download the gem from https://rubygems.org/gems/logstash-filter-dateparts and run:

bin/plugin install --no-verify logstash-filter-dateparts-1.0.0.gem

Usage

To see the most basic usage, you can run the following (on Linux):

echo "HI" | bin/logstash -e 'input { stdin {} } filter {dateparts { }} output { stdout { codec=> rubydebug}}'

You could also use the logstash generator:

bin/logstash -e 'input { generator { lines => ["HI"] count => 1 } } filter {dateparts { }} output { stdout { codec=> rubydebug}}'

Here is the sample output:

{
	"message" => "HI",
	"@version" => "1",
	"@timestamp" => "2015-11-20T12:24:40.217Z",
	"host" => "mike-VirtualBox",
	"day" => 20,
	"wday" => 5,
	"yday" => 324,
	"month" => 11,
	"year" => 2015,
	"hour" => 12,
	"min" => 24,
	"sec" => 40
}

This uses the default configuration, which generates the following fields from the @timestamp field of the event:

  • day
  • wday
  • yday
  • month
  • year
  • hour
  • min
  • sec

Configuration

Fields

The generated fields are based on the date functions available in the Ruby time class. You can specify any valid function and it will be added to the event.

For example, this will add 2 fields, sec corresponding to time.sec() and hour corresponding to time.hour():

filter {
	   dateparts {
   	     "fields" => ["sec", "hour"]
   }
}

Time Field

By default, the plugin will use the @timestamp field, but you can specify a different one:

filter {
	   dateparts {
   	     "time_field" => "some_other_field"
   }
}

Duration Field (new in 2.1)

2.1 provides the ability to calculate a duration (in seconds.milliseconds) based on 2 field.s The value of the duration is a float with millisecond precision.

The input values must both be time values, and you specify an output field for the result

filter {
     'fields' => %w(mday),
     'duration' => {
         'start_field' => 'tstart',
         'end_field' => 'tend',
         'result_field' => 'duration'
     }
 }

Error Tags

By default, the tag _dateparts_error is added on exception. You can specify different tag(s) like so:

filter {
	   dateparts {
   	     "error_tags" => ["bad_dates", "xyz"]
   }
}