Fluentd plugin to count the number of matched messages, and emit if exeeds the threshold

License: MIT License

Ruby 100.00%

fluentd-plugin v10 v12 fluentd-output-plugin to-do-v14 to-do-multi-workers-ready

fluent-plugin-grepcounter's Introduction

fluent-plugin-grepcounter

Fluentd plugin to count the number of matched messages, and emit if exeeds the threshold.

Configuration

Assume inputs from another plugin are as belows:

syslog.host1: {"message":"20.4.01/13T07:02:11.124202 INFO GET /ping" }
syslog.host1: {"message":"20.4.01/13T07:02:13.232645 WARN POST /auth" }
syslog.host1: {"message":"20.4.01/13T07:02:21.542145 WARN GET /favicon.ico" }
syslog.host1: {"message":"20.4.01/13T07:02:43.632145 WARN POST /login" }

An example of grepcounter configuration:

<match syslog.**>
  type grepcounter
  count_interval 60
  input_key message
  regexp WARN
  exclude favicon.ico
  threshold 1
  add_tag_prefix warn.count
</match>

Then, output bocomes as belows (indented):

warn.count.syslog.host1: {
  "count":2,
  "message":["20.4.01/13T07:02:13.232645 WARN POST /auth","20.4.01/13T07:02:43.632145 WARN POST /login"],
  "input_tag":"syslog.host1",
  "input_tag_last":"host1",
}

Output message by joining with a delimiter

As default, the grepcounter plugin outputs matched message as an array as shown above. You may want to output message as a string, then use delimiter option like:

<match syslog.**>
  type grepcounter
  count_interval 60
  input_key message
  regexp WARN
  exclude favicon.ico
  threshold 1
  add_tag_prefix warn.count
  delimiter \n
</match>

Then, output bocomes as belows (indented). You can see the message field is joined with \n.

warn.count.syslog.host1: {
  "count":2,
  "message":"20.4.01/13T07:02:13.232645 WARN POST /auth\n20.4.01/13T07:02:43.632145 WARN POST /login",
  "input_tag":"syslog.host1",
  "input_tag_last":"host1",
}

Parameters

count_interval

The interval time to count in seconds. Default is 60.
input_key field_key

The target field key to grep out. Use with regexp or exclude.
regexp regexp

The filtering regular expression
exclude regexp

The excluding regular expression like grep -v
regexp[1-20] field_key regexp (experimental)

The target field key and the filtering regular expression to grep out. No message is outputted in this case.
exclude[1-20] field_key regexp (experimental)

The target field key and the excluding regular expression like grep -v. No message is outputted in this case.
threshold

The threshold number to emit. Emit if count value >= specified value.
greater_equal

This is same with threshold option. Emit if count value is greater than or equal to (>=) specified value.
greater_than

Emit if count value is greater than (>) specified value.
less_than

Emit if count value is less than (<) specified value.
less_equal

Emit if count value is less than or equal to (<=) specified value.
tag

The output tag. Required for aggregate all.
add_tag_prefix

Add tag prefix for output message
remove_tag_prefix

Remove tag prefix for output message
add_tag_suffix

Add tag suffix for output message
remove_tag_suffix

Remove tag suffix for output message

remove_tag_slice min..max

Remove tag parts by slice function. FYI: This option behaves like tag.split('.').slice(min..max).

For example,
```
  remove_tag_slice 0..-2
```
changes an input tag foo.bar.host1 to foo.bar.
aggregate

Aggregation unit. One of all, in_tag, out_tag can be specified. Default is all.
- all counts summation for all input messages and emit one message in each interval.
- in_tag counts summation for each input tag seperately.
- out_tag counts summation for each tag modified by add_tag_prefix, remove_tag_prefix, or remove_tag_slice.

delimiter

Output matched messages after joined with the specified delimiter.
replace_invalid_sequence

Replace invalid byte sequence in UTF-8 with '?' character if true
store_file

Store internal count data into a file of the given path on shutdown, and load on statring.

ChangeLog

See CHANGELOG.md for details.

Contributing

Fork it
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

Copyright

fluent-plugin-grepcounter's People

Contributors

Stargazers

Watchers

Forkers

muddydixon cosmo0920 okkez ranger-x mabcl repeatedly naomichi-y tommarute gtakechan suxiaobai

fluent-plugin-grepcounter's Issues

License missing from gemspec

RubyGems.org doesn't report a license for your gem. This is because it is not specified in the gemspec of your last release.

via e.g.

spec.license = 'MIT'
# or
spec.licenses = ['MIT', 'GPL-2']

Including a license in your gemspec is an easy way for rubygems.org and other tools to check how your gem is licensed. As you can imagine, scanning your repository for a LICENSE file or parsing the README, and then attempting to identify the license or licenses is much more difficult and more error prone. So, even for projects that already specify a license, including a license in your gemspec is a good practice. See, for example, how rubygems.org uses the gemspec to display the rails gem license.

There is even a License Finder gem to help companies/individuals ensure all gems they use meet their licensing needs. This tool depends on license information being available in the gemspec. This is an important enough issue that even Bundler now generates gems with a default 'MIT' license.

I hope you'll consider specifying a license in your gemspec. If not, please just close the issue with a nice message. In either case, I'll follow up. Thanks for your time!

Appendix:

If you need help choosing a license (sorry, I haven't checked your readme or looked for a license file), GitHub has created a license picker tool. Code without a license specified defaults to 'All rights reserved'-- denying others all rights to use of the code.
Here's a list of the license names I've found and their frequencies

p.s. In case you're wondering how I found you and why I made this issue, it's because I'm collecting stats on gems (I was originally looking for download data) and decided to collect license metadata,too, and make issues for gemspecs not specifying a license as a public service :). See the previous link or my blog post about this project for more information.

grepcounter doesn't emit new messages

I've got the following fluentd configuration:

  <source>
    type tail
    path /var/log/test.log
    pos_file fluentd-docker.pos
    time_format %Y-%m-%dT%H:%M:%S
    tag test.*
    format json
    read_from_head true
  </source>
  <match **>
    @type grepcounter
    count_interval 60
    input_key validkey
    regexp validvalue
    greater_equal 1
    add_tag_prefix tagprefix
  </match>
  <match **>
    @type stdout
  </match>

I'd expect that after inserting the following message:
echo '{"validkey": "validvalue"}' >> /var/log/test.log
into test.log file, the message is displayed in fluentd logs. However, it doesn't happen. When I remove grepcounter section, the message is correctly displayed.

Please correct me if I'm wrong - shouldn't it work in a way that grepcounter catches the message and emits a new message which is later caught by stdout?

Additional info:

# /opt/td-agent/embedded/bin/ruby --version
ruby 2.1.10p492 (2016-04-01 revision 54464) [x86_64-linux]

# /opt/td-agent/embedded/bin/gem list | grep fluent-plugin-grepcounter
fluent-plugin-grepcounter (0.6.0)

I've also tried with v0.5.0 - issue is the same.

Regular Expression

Hi,
this plugin is able to accept a regular expression syntax instead of strings?
Best Regards.

Include keys in notofy message

add a parater to add some specifed keys to the count line..

config parameter
include_keys host,sessionid,......

for ex {"count":2,"message":[....],"host":["asp01","asp02",....],.......}

this will include the keys speciefed in the config and add them (usefull for application clusters)

Is this compatible with fluentd 1.14?

It doesn't seem to work for me and I'd like to understand if I'm doing something wrong or if the issue is with the plugin.

fluent-plugins-nursery / fluent-plugin-grepcounter Goto Github PK