search

logstash-plugins / logstash-filter-grok

Grok plugin to parse unstructured (log) data into something structured.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
Apache License 2.0
122 stars 97 forks source link

Spec LogStash::Filters::Grok after grok when the event is JSON serialised the field values are unchanged Fails Randomly with Master #127

Closed original-brownbear closed 6 years ago

original-brownbear commented 6 years ago

It's in the title, seeing random failures on Travis and locally with LS master like so:

➜  logstash-filter-grok git:(master) LOGSTASH_PATH="/Users/brownbear/src/logstash" LOGSTASH_SOURCE="1" bundle exec rspec spec
Sending Logstash's logs to  which is now configured via log4j2.properties
Run options: exclude {:redis=>true, :socket=>true, :performance=>true, :couchdb=>true, :elasticsearch=>true, :elasticsearch_secure=>true, :export_cypher=>true, :integration=>true, :windows=>true}

Randomized with seed 39407
....................................................................................................

Finished in 5.42 seconds (files took 4.37 seconds to load)
100 examples, 0 failures

Randomized with seed 39407

➜  logstash-filter-grok git:(master) LOGSTASH_PATH="/Users/brownbear/src/logstash" LOGSTASH_SOURCE="1" bundle exec rspec spec
Sending Logstash's logs to  which is now configured via log4j2.properties
Run options: exclude {:redis=>true, :socket=>true, :performance=>true, :couchdb=>true, :elasticsearch=>true, :elasticsearch_secure=>true, :export_cypher=>true, :integration=>true, :windows=>true}

Randomized with seed 51506
F...................................................................................................

Failures:

  1) LogStash::Filters::Grok after grok when the event is JSON serialised the field values are unchanged "{"facility":"auth","message":"Failed password for t..." when processed
     Failure/Error: insist { subject.to_json } =~ %r|"tags":\["ssh_failure"\]}|

     Insist::Failure:
       Expected "{\"@timestamp\":\"2017-11-23T11:44:05.552Z\",\"@version\":\"1\",\"tags\":[\"ssh_failure\"],\"username\":\"testuser\",\"src_ip\":\"1.1.1.1\",\"port\":\"22\"}" =~ /"tags":\["ssh_failure"\]}/
     # /Users/brownbear/.rvm/gems/jruby-9.1.14.0/gems/insist-1.0.0/lib/insist/assert.rb:8:in `assert'
     # /Users/brownbear/.rvm/gems/jruby-9.1.14.0/gems/insist-1.0.0/lib/insist/comparators19.rb:13:in `=~'
     # ./spec/filters/grok_spec.rb:892:in `block in (root)'
     # /Users/brownbear/.rvm/gems/jruby-9.1.14.0/gems/rspec-wait-0.0.9/lib/rspec/wait.rb:46:in `block in (root)'

Finished in 5.8 seconds (files took 3 seconds to load)
100 examples, 1 failure

Failed examples:

rspec ./spec/filters/grok_spec.rb:880 # LogStash::Filters::Grok after grok when the event is JSON serialised the field values are unchanged "{"facility":"auth","message":"Failed password for t..." when processed
original-brownbear commented 6 years ago

@andrewvc fyi, working on it now

original-brownbear commented 6 years ago

fixed via #128