set target in grok filter

childe · Feb 13, 2020 · 9a7b165 · 9a7b165
1 parent d9fa13d
commit 9a7b165
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 8 deletions.
diff --git a/filter/grok.go b/filter/grok.go
@@ -129,7 +129,6 @@ func (grok *Grok) translateMatchPattern(s string) string {
 		}
 		s = r
 	}
-	return r
 }
 
 type Grok struct {
@@ -179,6 +178,7 @@ type GrokFilter struct {
 	config    map[interface{}]interface{}
 	overwrite bool
 	groks     []*Grok
+	target    string
 	src       string
 	vr        value_render.ValueRender
 }
@@ -208,6 +208,7 @@ func (l *MethodLibrary) NewGrokFilter(config map[interface{}]interface{}) *GrokF
 		config:    config,
 		groks:     groks,
 		overwrite: true,
+		target:    "",
 	}
 
 	if overwrite, ok := config["overwrite"]; ok {
@@ -221,6 +222,10 @@ func (l *MethodLibrary) NewGrokFilter(config map[interface{}]interface{}) *GrokF
 	}
 	gf.vr = value_render.GetValueRender2(gf.src)
 
+	if target, ok := config["target"]; ok {
+		gf.target = target.(string)
+	}
+
 	return gf
 }
 
@@ -233,18 +238,24 @@ func (gf *GrokFilter) Filter(event map[string]interface{}) (map[string]interface
 		input = inputI.(string)
 	}
 
-	success := false
 	for _, grok := range gf.groks {
 		rst := grok.grok(input)
 		if len(rst) == 0 {
 			continue
 		}
 
-		for field, value := range rst {
-			event[field] = value
+		if gf.target == "" {
+			for field, value := range rst {
+				event[field] = value
+			}
+		} else {
+			target := make(map[string]interface{})
+			for field, value := range rst {
+				target[field] = value
+			}
+			event[gf.target] = target
 		}
-		success = true
-		break
+		return event, true
 	}
-	return event, success
+	return event, false
 }
diff --git a/filter/grok_test.go b/filter/grok_test.go
@@ -30,8 +30,37 @@ func TestGrokFilter(t *testing.T) {
 		}
 	}
 }
+func TestTarget(t *testing.T) {
+	config := make(map[interface{}]interface{})
+	match := make([]interface{}, 2)
+	match[0] = `(?P<logtime>\S+ \S+) \[(?P<level>\w+)\] (?P<msg>.*)$`
+	match[1] = `(?P<logtime>\S+ \S+)`
+	config["match"] = match
+	config["src"] = "message"
+	config["target"] = "grok"
+
+	f := methodLibrary.NewGrokFilter(config)
+
+	event := make(map[string]interface{})
+	event["message"] = "2018-07-12T14:45:00 +0800 [info] message"
+
+	event, ok := f.Filter(event)
+	t.Log(event)
+
+	if ok == false {
+		t.Error("grok filter fail")
+	}
+
+	if grok, ok := event["grok"]; ok {
+		if msg, ok := grok.(map[string]interface{})["msg"]; !ok || msg.(string) != "message" {
+			t.Error("msg field do not match")
+		}
+	} else {
+		t.Error("grok field should exist")
+	}
+}
 
-func TestTranslate(t *testing.T) {
+func TestPattern(t *testing.T) {
 	grok := &Grok{}
 	grok.patterns = map[string]string{
 		"USERNAME": "[a-zA-Z0-9._-]+",