Merge pull request #175 from yaauie/ecs-v8-preview

ecs: add v8 preview using v1 implementation

Author: yaauie

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 4.4.1
+ - Added preview of ECS v8 support using existing ECS v1 implementation [#175](https://github.com/logstash-plugins/logstash-filter-grok/pull/175)
+
 ## 4.4.0
  - Feat: ECS compatibility support [#162](https://github.com/logstash-plugins/logstash-filter-grok/pull/162)
 

docs/index.asciidoc

@@ -235,7 +235,7 @@ parsing different things), then set this to false.
 * Value type is <<string,string>>
 * Supported values are:
 ** `disabled`: the plugin will load legacy (built-in) pattern definitions
-** `v1`: all patterns provided by the plugin will use ECS compliant captures
+** `v1`,`v8`: all patterns provided by the plugin will use ECS compliant captures
 * Default value depends on which version of Logstash is running:
 ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
 ** Otherwise, the default value is `disabled`.

lib/logstash/filters/grok.rb

@@ -332,6 +332,9 @@ def patterns_path
         patterns_path << LogStash::Patterns::Core.path # :legacy
       when :v1
         patterns_path << LogStash::Patterns::Core.path('ecs-v1')
+      when :v8
+        @logger.warn("ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the Elastic Common Schema becomes available, this plugin will need to be updated")
+        patterns_path << LogStash::Patterns::Core.path('ecs-v1')
       else
         fail(NotImplementedError, "ECS #{ecs_compatibility} is not supported by this plugin.")
       end

logstash-filter-grok.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-filter-grok'
-  s.version         = '4.4.0'
+  s.version         = '4.4.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Parses unstructured event data into fields"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

spec/filters/grok_spec.rb

@@ -38,13 +38,15 @@ def self.sample(message, &block)
       expect( event.get("pid") ).to eql "1713"
     end
 
-    context 'in ecs mode' do
-      let(:config) { super().merge('ecs_compatibility' => 'v1') }
+    %w(v1 v8).each do |ecs_mode|
+      context "in ecs mode #{ecs_mode}" do
+        let(:config) { super().merge('ecs_compatibility' => ecs_mode) }
 
-      it "matches pattern" do
-        expect( event.get("host") ).to eql "hostname"=>"evita"
-        expect( event.get("process") ).to eql "name"=>"postfix/smtpd", "pid"=>1713
-        expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+        it "matches pattern" do
+          expect( event.get("host") ).to eql "hostname"=>"evita"
+          expect( event.get("process") ).to eql "name"=>"postfix/smtpd", "pid"=>1713
+          expect( event.get("message") ).to eql "connect from camomile.cloud9.net[168.100.1.3]"
+        end
       end
     end
 
@@ -701,7 +703,7 @@ def self.sample(message, &block)
       expect( LogStash::Json.dump(event.get('username')) ).to eql "\"testuser\""
 
       expect( event.to_json ).to match %r|"src_ip":"1.1.1.1"|
-      expect( event.to_json ).to match %r|"@timestamp":"20\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\dZ"|
+      expect( event.to_json ).to match %r|"@timestamp":"#{Regexp.escape(event.get('@timestamp').to_s)}"|
       expect( event.to_json ).to match %r|"port":"22"|
       expect( event.to_json ).to match %r|"@version":"1"|
       expect( event.to_json ).to match %r|"username"|i
@@ -769,6 +771,26 @@ def self.sample(message, &block)
   end
 end
 
+describe LogStash::Filters::Grok do
+
+  subject(:grok_filter) { described_class.new(config) }
+  let(:config) { {} }
+
+  context 'when initialized with `ecs_compatibility => v8`' do
+    let(:config) { super().merge("ecs_compatibility" => "v8", "match" => ["message", "%{SYSLOGLINE}"]) }
+    context '#register' do
+      let(:logger_stub) { double('Logger').as_null_object }
+      before(:each) { allow_any_instance_of(described_class).to receive(:logger).and_return(logger_stub)}
+
+      it 'logs a helpful warning about the unreleased v8' do
+        grok_filter.register
+
+        expect(logger_stub).to have_received(:warn).with(a_string_including "preview of the unreleased ECS v8")
+      end
+    end
+  end
+end
+
 describe LogStash::Filters::Grok do
   describe "(LEGACY)" do
     describe "patterns in the 'patterns/' dir override core patterns" do