Skip to content

Instantly share code, notes, and snippets.

@yaauie

yaauie/README.md

Last active July 17, 2024 08:36
Show Gist options
  • Save yaauie/d6b32b50ec7fdb7762b53a7baaf8298c to your computer and use it in GitHub Desktop.
Save yaauie/d6b32b50ec7fdb7762b53a7baaf8298c to your computer and use it in GitHub Desktop.
Download ZIP
List of scripts for the Logstash Ruby filter, with links
Raw
README.md

Logstash Ruby Filter Scripts

  • Transpose: transpose an array of two-value maps in a source field into an unordered key/value map, optionally storing the result in a target instead of overwriting (e.g., from [{"key":"this","value":"that"}] to {"this" => "that"})
  • Untranspose: transpose an unordered key/value map in a source field into an array of two-value maps, optionally storing the result in a target instead of overwriting (e.g., from {"this" => "that"} to [{"key":"this","value":"that"}])
  • Flatten Structure: transforms the deeply nested structure of an event or a source field into a flat key-value map by joining nested keys on a configurable separator, optionally storing the result in a target field instead of overwriting and optionally destructive-ly.
  • Find Field: finds occurrances of a field name on an event from a list of search fields, storing the found result(s) in a target field
  • Capture filter: captures all occurrances of the provided pattern in a source field that contains a string value, and stores them in a target field.
  • Extract Nested Set: extract nested values from an array of key/value maps (e.g., from [{"author":"Alice","title":"Apples"},{"author":"Bob","title":"Bananas"}] to authors ["Alice","Bob"] or titles ["Apples","Bananas"])
  • Strip field names in map: strips characters from field names in the map at the provided source field name. Defaults to stripping trailing- and leading-whitespace, but can be configured with a regexp
  • Transform field names: Transforms field names on the event or in the map held in source, optionally recursively. Supports downcase, underscore_whitespace, and underscore_dots transformations
  • Determine field type: determines the type of field stored in a source field, optionaly storing the result in a target field
  • Replace Subset: replaces the entire event with the value held in a single source field, optionally dropping events that do not contain the field.
  • Pull Up: pulls the entries contained in a source field to the root, optionally prefixing the field names.
  • Destructive Array Merge: destructively merges the contents of a source field into a target field, optionally coercing non-array values. When successful, the source will be unset and the target will hold the combined contents.
  • Estimate Serialized Size: performs a throwaway serialization of a field or the entire event and stores only the size in a target field.
  • Replace with Serialized: replaces the entire event's contents with a single field containing its JSON-serialized representation, optionally keeping the timestamp
  • JSON sanitize: transform a JSON string from a source field into a JSON string whose unserialized representation would not have square brackets in field names, optionally storing the result in a target field instead of overwriting
  • Tag when events over threshold: counts the fields on an event or in a source field, tagging the event when the provided threshold is met or exceeded. This script is recursive by default, but can be configured to avoid descending into nested values.
  • Delete Empty Nodes: deletes empty nodes, optionally recursively, from a source field or the entire event.
  • UTF8 Coerce: forcefully coerce a string-valued field to valid UTF-8, preferring a representational transcode operation, and falling back to the use of UTF8 replacement characters when encountering byte sequences that cannot be represented in unicode, optionally stashing a base64-encoded copy of the original when such lossy replacements are made.
  • Stringify Timestamp: converts a source field to its ISO8601 representation, optionally storing the result in a target field instead of overwriting,
  • GZip Decode: decodes the contents of a single gzip-compressed, possibly base64-encoded source field and places the result in a target field`.
  • Precision Timestamp: parses a string timestamp in a source field into a nano-precise time object using one or more Java Time format strings, optionally storing the result in a target field instead of the event's @timestamp.
  • CPU to Millis: converts one or more source fields containing CPU measurements to millis, respecting the m suffix, optionally storing the result in target fields instead of overwriting.
  • Memory to Megas: converts one or more source fields containing memory measurements into Megabytes, respecting the given suffix, optionally storing the result in target fields instead of overwriting.
  • Processor Hostname: sets a target field with the hostname of the Logstash instance, as reported by Socket#get_hostname.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment