Skip to content

Instantly share code, notes, and snippets.

View yaauie's full-sized avatar

Ry Biesemeyer yaauie

123 followers · 3 following
View GitHub Profile
@yaauie
yaauie / logstash-codec-csv.auto-flush-on-evict.patch
Last active September 28, 2021 20:24
Patch Logstash CSV Codec 1.0.0 to ensure the Logstash File Input re-detects column names per file (NOT NECESSARY with logstash-codec-multiline >= 3.1.1)
diff --git a/lib/logstash/codecs/csv.rb b/lib/logstash/codecs/csv.rb
index 07d6416..66cd6ed 100644
--- a/lib/logstash/codecs/csv.rb
+++ b/lib/logstash/codecs/csv.rb
@@ -133,12 +133,19 @@ class LogStash::Codecs::CSV < LogStash::Codecs::Base
rescue CSV::MalformedCSVError => e
@logger.error("CSV parse failure. Falling back to plain-text", :error => e, :data => data)
yield LogStash::Event.new("message" => data, "tags" => ["_csvparsefailure"])
end
end
@yaauie
yaauie / estimate-serialized-size.logstash-filter-ruby.rb
Last active September 27, 2021 20:18
Logstash Ruby Filter Script for estimating the serialized size of an event or one of its fields.
###############################################################################
# estimate-serialized-size.logstash-filter-ruby.rb
# ---------------------------------
# A script for a Logstash Ruby Filter to estimate the serialized size of an
# event or one of its fields.
###############################################################################
#
# Copyright 2021 Ry Biesemeyer
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
@yaauie
yaauie / delete-emtpy-nodes.logstash-filter-ruby.rb
Last active July 19, 2021 09:46
A script for a Logstash Ruby Filter to delete empty nodes from an event; by default, crawls the entire event recursively, but it can be configured to limit the scope.
###############################################################################
# delete-emtpy-nodes.logstash-filter-ruby.rb
# ---------------------------------
# A script for a Logstash Ruby Filter to delete empty nodes from an event; by
# default, crawls the entire event recursively, but it can be configured to
# limit the scope.
###############################################################################
#
# Copyright 2018 Ry Biesemeyer
#
@yaauie
yaauie / noisy-proxy.rb
Created April 12, 2021 17:03
require 'time' # Time#iso8601
# A NoisyProxy will log all method calls on the wrapped object and their results to the given IO.
# It will optionally _infect_ any object returned by the real method.
class NoisyProxy < BasicObject
def initialize(inner, infect:false, io:$stderr)
@inner = inner
@infect = infect
@io = io
end
@yaauie
yaauie / USAGE.md
Last active March 8, 2021 21:03

Suppose you had events with the following structure:

{
  "books": [
    {"author":"Alice",  "title":"Fields" },
    {"author":"Bob",    "title":"Oceans" },
    {"author":"Connie", "title":"Rivers" },
    {"author":"Connie", "title":"Lakes"  },
 {"author":"David", "title":"Streams"},
@yaauie
yaauie / USAGE.md
Created March 3, 2021 23:22
Logstash script for ruby filter plugin to destructively merge two array fields

This script has three parameters:

  • source: a field reference to the source array
  • target: a field reference to the target array
  • coerce: (optional: default false) when encountering non-array values in either source or target fields, setting coerce => true causes these fields to first be converted to a single-entry array.
filter {
@yaauie
yaauie / stringify-timestamp.logstash-filter-ruby.rb
Created September 10, 2020 16:03
stringify a timestamp field
###############################################################################
# stringify-timestamp.logstash-filter-ruby.rb
# ---------------------------------
# A script for a Logstash Ruby Filter to stringify logstash timestamps using
# ISO-8601.
###############################################################################
#
# Copyright 2020 Ry Biesemeyer
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
@yaauie
yaauie / ecs-complaint-host-geoip.conf
Created July 22, 2020 15:50
Example remapping the fields output by GeoIP filter for a host ip to ECS's host geo fields, as identified in the ECS compatibility mode issue https://github.com/logstash-plugins/logstash-filter-geoip/issues/163#issuecomment-592177677
filter {
geoip {
source => "[host][ip]"
target => "[@metadata][host_geoip]"
}
if [@metadata][host_geoip] {
mutate {
copy => {
"[@metadata][host_geoip][city_name]" => "[host][geo][city_name]"
"[@metadata][host_geoip][country_name]" => "[host][geo][country_name]"
@yaauie
yaauie / tag-when-fields-over-threshold.logstash-filter-ruby.rb
Last active June 1, 2020 18:40
Logstash: tag when field count over threshold
###############################################################################
# tag-when-fields-over-threshold.logstash-filter-ruby.rb
# ---------------------------------
# A script for a Logstash Ruby Filter to tag an event when it has "too many"
# fields, with a configurable threshold.
###############################################################################
#
# Copyright 2020 Ry Biesemeyer
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
@yaauie
yaauie / replace-subset.logstash-filter-ruby.rb
Created May 11, 2020 17:03
###############################################################################
# replace-subset.logstash-filter-ruby.rb
# ---------------------------------
# A script for a Logstash Ruby Filter to replace an event's contents with a
# subset that exists as an object in a field.
###############################################################################
#
# Copyright 2020 Ry Biesemeyer
#
# Permission is hereby granted, free of charge, to any person obtaining a copy