advisor

Milestone: 1

This is a community-contributed plugin! It does not ship with logstash by default, but it is easy to install! To use this, you must have installed the contrib plugins package.

INFORMATION: The filter Advisor is designed for capture and confrontation the events. The events must be grep by a filter first, then it can pull out a copy of it, like clone, whit tags “advisor_first”, this copy is the first occurrence of this event verified in time_adv. After time_adv Advisor will pull out an event tagged “advisor_info” who will tell you the number of same events verified in time_adv. INFORMATION ABOUT CLASS: For do this job, i used a thread that will sleep time adv. I assume that events coming on advisor are tagged, then i use an array for storing different events. If an events is not present on array, then is the first and if the option is activate then advisor push out a copy of event. Else if the event is present on array, then is another same event and not the first, let’s count it.
USAGE: This is an example of logstash config: filter{ advisor { time_adv => 1 #(optional) send_first => true #(optional) } } We analize this: time_adv => 1 Means the time when the events matched and collected are pushed on outputs with tag “advisor_info”. send_first => true Means you can push out the first events different who came in advisor like clone copy and tagged with “advisor_first”

Synopsis

This is what it might look like in your config file: 
filter {
  advisor {
    add_field => ... # hash (optional), default: {}
    add_tag => ... # array (optional), default: []
    remove_field => ... # array (optional), default: []
    remove_tag => ... # array (optional), default: []
    send_first => ... # boolean (optional), default: true
    time_adv => ... # number (optional), default: 0
  }
}

Details

add_field

  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field} Example:

filter {
  advisor {
    add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
  }
}

# You can also add multiple fields at once:

filter {
  advisor {
    add_field => { 
      "foo_%{somefield}" => "Hello world, from %{host}"
      "new_field" => "new_static_value"
    }
  }
}

If the event has field “somefield” == “hello” this filter, on success, would add field “foo_hello” if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

add_tag

  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  advisor {
    add_tag => [ "foo_%{somefield}" ]
  }
}

# You can also add multiple tags at once:
filter {
  advisor {
    add_tag => [ "foo_%{somefield}", "taggedy_tag"]
  }
}

If the event has field “somefield” == “hello” this filter, on success, would add a tag “foo_hello” (and the second example would of course add a “taggedy_tag” tag).

exclude_tags DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is array
  • Default value is []

Only handle events without all/any (controlled by exclude_any config option) of these tags. Optional.

remove_field

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

filter {
  advisor {
    remove_field => [ "foo_%{somefield}" ]
  }
}

# You can also remove multiple fields at once:

filter {
  advisor {
    remove_field => [ "foo_%{somefield}" "my_extraneous_field" ]
  }
}

If the event has field “somefield” == “hello” this filter, on success, would remove the field with name “foo_hello” if it is present. The second example would remove an additional, non-dynamic field.

remove_tag

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  advisor {
    remove_tag => [ "foo_%{somefield}" ]
  }
}

# You can also remove multiple tags at once:

filter {
  advisor {
    remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
  }
}

If the event has field “somefield” == “hello” this filter, on success, would remove the tag “foo_hello” if it is present. The second example would remove a sad, unwanted tag as well.

send_first

  • Value type is boolean
  • Default value is true

If you want the first different event will be pushed out like a copy

tags DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is array
  • Default value is []

Only handle events with all/any (controlled by include_any config option) of these tags. Optional.

time_adv

  • Value type is number
  • Default value is 0

If you do not set time_adv the plugin does nothing.

type DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is string
  • Default value is ""

Note that all of the specified routing options (type,tags.exclude_tags,include_fields,exclude_fields) must be met in order for the event to be handled by the filter. The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin’s “type” attribute for more. Optional.

This is documentation from lib/logstash/filters/advisor.rb