Class: LogStash::Filters::Advisor

Inherits:
Base show all
Defined in:
lib/logstash/filters/advisor.rb

Overview

send_first => true Means you can push out the first events different who came in advisor like clone copy and tagged with “advisor_first”

Constant Summary

Constants inherited from Base

Base::RESERVED

Constants included from Config::Mixin

Config::Mixin::CONFIGSORT

Instance Attribute Summary

Attributes included from Config::Mixin

#config, #original_params

Attributes inherited from Plugin

#logger, #params

Instance Method Summary collapse

Methods inherited from Base

#execute, #initialize, #threadsafe?

Methods included from Config::Mixin

#config_init, included

Methods inherited from Plugin

#eql?, #finished, #finished?, #hash, #initialize, #inspect, lookup, #reload, #running?, #shutdown, #teardown, #terminating?, #to_s

Constructor Details

This class inherits a constructor from LogStash::Filters::Base

Instance Method Details

#filter(event) ⇒ Object 



86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 
# File 'lib/logstash/filters/advisor.rb', line 86

def filter(event)
 return unless filter?(event)
 
 # Control the correct config
 if(!(@time_adv == 0))

   new_event = true
   @message = event["message"]
   
   # control if the events are new or they are came before
   for i in (0..@sarray.size-1)
     if (@message == @sarray[i].to_s)
       @logger.debug("Avisor: Event match")
       # if came before then count it
       new_event = false
       @carray[i] = @carray[i].to_i+1
       @logger.debug("Advisor: "+@carray[i].to_s+" Events matched")
       break
     end
   end
    
   if (new_event == true)
      # else is a new event

      @sarray << @message
      @carray << 1
      if (send_first == true)
          @logger.debug("Advisor: is the first to send out")
          @first = true
      end
   end
    
 else
  @logger.warn("Advisor: you have not specified Time_adv. This filter will do nothing!")
 end
end

#flushObject

This method is used for generate events every 5 seconds (Thanks Jordan Sissel for explanation). In this case we generate an event when advisor thread trigger the flag or is the first different event.



127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
# File 'lib/logstash/filters/advisor.rb', line 127

def flush
    
      if (@first == true)
        event = LogStash::Event.new
        event["host"] = Socket.gethostname
        event["message"] = @message
        event.tag "advisor_first"
        filter_matched(event)
       
        @first = false
        return [event]
      end
 
       if (@flag == true)
 
        if (@tags.size != 0)
          @tag_path = ""
          for i in (0..@tags.size-1)
            @tag_path += @tags[i].to_s+"."
          end
        end
          
        # Prepare message 
        message = "Advisor: Found events who match: "+@tag_path.to_s+"\n\n"

        # See on messagge partial part of different events
        for i in (0..@sarray.size-1)
          message = message+@carray[i].to_s+" events like: "+(@sarray[i].to_s).slice(0, 300)+"\n\n"
        end
       
        event = LogStash::Event.new
        event["host"] = Socket.gethostname 
        event["message"] = message  
        event.tag << "advisor_info"
        filter_matched(event)
 
        # reset flag and counter 
        @flag = false
        @carray = nil
        @sarray = nil
        @carray = Array.new
        @sarray = Array.new

        # push the event
        return [event]
       end
  return
 
end

#registerObject 



48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/logstash/filters/advisor.rb', line 48

def register

 # Control the correct config
 if (!(@time_adv == 0))
   
   @flag = false
   @first = false
   # Is used for store the different events.
   @sarray = Array.new
   # Is used for count the number of equals events.
   @carray = Array.new

   @thread = time_alert(@time_adv.to_i*60) do
    # if collected any events then pushed out a new event after time_adv
    if (@sarray.size !=0) 
       @flag = true
    end
   end
 
 else
  @logger.warn("Advisor: you have not specified Time_adv. This filter will do nothing!")
 end

end

#time_alert(interval) ⇒ Object

This method is used to manage sleep and awaken threads (thanks StackOverflow for the support)



74
75
76
77
78
79
80
81
82
83
 
# File 'lib/logstash/filters/advisor.rb', line 74

def time_alert(interval)
   Thread.new do
    loop do
     start_time = Time.now
     yield
     elapsed = Time.now - start_time
     sleep([interval - elapsed, 0].max)
   end
 end
end