Create 'exec' filter · elastic/logstash#2528

(1 comment) (1 reaction) (0 assignees)Ruby (3,496 forks)batch import

help wantednew plugin

Repository metrics

Stars: (14,197 stars)
PR merge metrics: (Avg merge 2d 22h) (75 merged PRs in 30d)

Description

Migrated from https://logstash.jira.com/browse/LOGSTASH-119:

Would be useful to pipe arbitrary fields through a command to modify them.

Here's an example that would anonymize hostnames or something.
filter {
  exec {
    command => "sed -re 's/\S+\.loggly\.com/anonymizedhost.example.com/'"
    fields => [ "@message", "hostname", "@source_host" ]
  }
}
The default would use only the message to parse

The protocol between logstash and the exec filter must be strict. Something like: for every line emitted, one line must be emitted as the 'new' line. If no changes are made, simply print it unmodified.

deleting the field can be done by printing a blank line

we exec the process once and use stdin for sending data, stdout for reading responses; if it dies, some retries should occur

Contributor guide

Research direction: Study existing Logstash filter plugins (e.g., mutate, grok) to understand the plugin structure and lifecycle. Implement a new filter that spawns a child process, sends event field values via stdin line by line, reads stdout line by line, and replaces the field with the output. Handle process failures with retries. Ensure the config syntax (command, fields) is parsed correctly.
Tech stack: ruby
Domain: backend
Issue type: Feature
Difficulty: 3
Estimated time: Half day
Activity status: Active
Clarity: Clear
Prerequisites: RubyCommand line
Newbie friendliness: 65

Repository metrics

Description

Contributor guide

Get fresh easy issues in your inbox.