Details

      Description

      I am attempting to filter through grok with named fields, then filter through a custom filter.

      After grok when I call the custom filter the event seems to be the same as before grok.

      I am confused on how to chain filters and maintain the changes as the event trickles through them.

      input {
        stdin { type => "stash-auth" }
      }
      filter {
      
              if "stash-auth" in [type] {
                      grok { 
                              patterns_dir => "patterns"
                              pattern => "%{STASH_CAPTCHA}"
                              add_tag => ["stash-captcha"]
                      }
                      #event being passed to next block is still same as before grok
                      if "stash-captcha" in [tags] {
                              mutate {
                                      add_field => { "userName" => "%{user1}" }
                              }
                              crowd {
                                      crowdURL => "https://crowd/rest/usermanagement/1/user?username="
                                      timeout => 2
                              }
                      }
              }
      
      }
      output {
        stdout { codec => rubydebug }
      }
      

      I took the basic DNS filter and started with that.

      class LogStash::Filters::Crowd < LogStash::Filters::Base
      
        config_name "crowd"
        milestone 1
      
        # Lookup email address of username.
        #config :userName, :validate => :string
      
        # Determine what action to do: append or replace the values in the field
        # specified under "username"
        config :action, :validate => [ "append", "replace" ], :default => "append"
      
        # Atlassian Crowd REST API URL
        config :crowdURL, :validate => :string
      
        # RestClient timeout
        config :timeout, :validate => :number, :default => 2
      
        public
        def register
          require "json"
          require "rest_client"
          @resource = RestClient::Resource.new(@crowdURL,
                              :user => "secret",
                              :password => "secret",
                              :timeout => @timeout,
                              :accept => 'application/json')
        end # def register
      
        public
        def filter(event)
              puts event[userName] # <--- NOTHING prints here
              puts event.inspect   # <--- The original message from before grok prints here
          return unless filter?(event)
          @response = @resource[event[userName]].get # <--- undefined local variable or method `userName'
          @responseHash = JSON.parse(@response)
          @email = @responseHash["email"]
      
      
          filter_matched(event)
        end
      
      
      end # class LogStash::Filters::Crowd
      

      The grok filter works, if I run it without the second filter for crowd I get the results I want in output.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                logstash-dev Logstash Developers (Inactive)
                Reporter:
                zbuckholz Zachary Buckholz
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: