search

logstash-plugins / logstash-output-riemann

Apache License 2.0
5 stars 13 forks source link

Sender field not being honored #13

Closed jamtur01 closed 8 years ago

jamtur01 commented 8 years ago

When I specify:

riemann {
       host => "riemanna.example.com"
       sender => "%{syslog_hostname}"
       map_fields => true
 . . .
}

The :host field on my riemann event is from the Logstash event's host field and not the syslog_hostname field.

nukemberg commented 8 years ago

which version of the plugin are you using?

jamtur01 commented 8 years ago

2.0.2 with Logstash 2.1.1.

jamtur01 commented 8 years ago

If I output the r_event variable at send I see:

{:timestamp=>"2016-02-07T19:42:11.470000+0000", :message=>"Riemann event: ", :riemann_event=>{:host=>"host.example.com", :time=>1454874131, :description=>nil, :service=>"tornado.api.response_time", :metric=>83.0, :state=>"ok", :port=>42257, :type=>"syslog", :syslog_timestamp=>"Feb  7 19:42:11", :syslog_hostname=>"app1-api1", :syslog_program=>"aom-clojure-rest", :syslog_severity_code=>5, :syslog_facility_code=>1, :syslog_facility=>"user-level", :syslog_severity=>"notice", :app_timestamp=>"16-02-07 19:42:11", :app_host=>"app1-api1", :app_severity=>"INFO", :app_request_state=>"Finished", :app_verb=>"post", :app_path=>"/api", :app_source=>"xxx.xxx.xxx.xxx", :app_request_time=>83, :app_status_code=>200}, :level=>:info}

Where host.example.com is the value of the Logstash event's host field and NOT syslog_hostname.

jamtur01 commented 8 years ago

Oh. I see what it is. Look at the logic flow in build_riemann_formatted_event.

def build_riemann_formatted_event(event)
    # Let's build us an event, shall we?
    r_event = Hash.new
    r_event[:host] = event.sprintf(@sender)
    # riemann doesn't handle floats so we reduce the precision here
    r_event[:time] = event["@timestamp"].to_i
    r_event[:description] = event["message"]
    if @riemann_event
      @riemann_event.each do |key, val|
        if ["ttl","metric"].include?(key)
          r_event[key.to_sym] = event.sprintf(val).to_f
        else
          r_event[key.to_sym] = event.sprintf(val)
        end
      end
    end
    if @map_fields == true
      r_event.merge! map_fields(nil, event.to_hash)
    end
    r_event[:tags] = event["tags"] if event["tags"].is_a?(Array)

    return r_event
  end
  1. We set the r_event[:host] in https://github.com/logstash-plugins/logstash-output-riemann/blob/master/lib/logstash/outputs/riemann.rb#L136
  2. If map_fields is enabled then it then maps all fields barring those starting with @ in https://github.com/logstash-plugins/logstash-output-riemann/blob/master/lib/logstash/outputs/riemann.rb#L150.

Since host is a field in the event the mapping will override the previous setting.

jamtur01 commented 8 years ago

Thanks! When will a new build be pushed?

nukemberg commented 8 years ago

adding a few tests. 10 minutes i think

On Sun, Feb 7, 2016 at 10:07 PM James Turnbull notifications@github.com wrote:

Thanks! When will a new build be pushed?

— Reply to this email directly or view it on GitHub https://github.com/logstash-plugins/logstash-output-riemann/issues/13#issuecomment-181098362 .

jamtur01 commented 8 years ago

Awesome! Thank you! Perfect timing for me to go to the pub. :)