| # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| input { |
| http_poller { |
| urls => { |
| event_queue => { |
| method => get |
| url => "${dmaap_base_url}/events/${event_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000" |
| headers => { |
| Accept => "application/json" |
| } |
| add_field => { "topic" => "${event_topic}" } |
| type => "dmaap_event" |
| } |
| notification_queue => { |
| method => get |
| url => "${dmaap_base_url}/events/${notification_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000" |
| headers => { |
| Accept => "application/json" |
| } |
| add_field => { "topic" => "${notification_topic}" } |
| type => "dmaap_notification" |
| } |
| request_queue => { |
| method => get |
| url => "${dmaap_base_url}/events/${request_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000" |
| headers => { |
| Accept => "application/json" |
| } |
| add_field => { "topic" => "${request_topic}" } |
| type => "dmaap_request" |
| } |
| } |
| socket_timeout => 30 |
| request_timeout => 30 |
| codec => "plain" |
| schedule => { "every" => "1m" } |
| cacert => "/certs.d/aafca.pem" |
| } |
| } |
| |
| input { |
| file { |
| path => [ |
| "/log-input/*" |
| ] |
| type => "dmaap_log" |
| codec => "json" |
| } |
| } |
| |
| filter { |
| if [type] != "dmaap_log" { |
| #only execute this section for dmaap events from http request |
| #it doesn't apply to dmaap events from log file |
| |
| # avoid noise if no entry in the list |
| if [message] == "[]" { |
| drop { } |
| } |
| |
| if [http_request_failure] or [@metadata][code] != "200" { |
| mutate { |
| add_tag => [ "error" ] |
| } |
| } |
| |
| if "dmaap_source" in [tags] { |
| # |
| # Dmaap provides a json list, whose items are Strings containing the event |
| # provided to Dmaap, which itself is an escaped json. |
| # |
| # We first need to parse the json as we have to use the plaintext as it cannot |
| # work with list of events, then split that list into multiple string events, |
| # that we then transform into json. |
| # |
| json { |
| source => "[message]" |
| target => "message" |
| } |
| ruby { |
| code => " |
| for ev in event.get('message', []) |
| ev.set('@metadata', event.get('@metadata')) |
| end |
| " |
| } |
| |
| split { |
| field => "message" |
| } |
| json { |
| source => "message" |
| } |
| mutate { |
| remove_field => [ "message" ] |
| } |
| } |
| } |
| #now start the common, to both http request and log file events, processing |
| |
| # |
| # Some timestamps are expressed as milliseconds, some are in microseconds |
| # |
| if [closedLoopAlarmStart] { |
| ruby { |
| code => " |
| if event.get('closedLoopAlarmStart').to_s.to_i(10) > 9999999999999 |
| event.set('closedLoopAlarmStart', event.get('closedLoopAlarmStart').to_s.to_i(10) / 1000) |
| else |
| event.set('closedLoopAlarmStart', event.get('closedLoopAlarmStart').to_s.to_i(10)) |
| end |
| " |
| } |
| date { |
| match => [ "closedLoopAlarmStart", UNIX_MS ] |
| target => "closedLoopAlarmStart" |
| } |
| } |
| |
| if [closedLoopAlarmEnd] { |
| ruby { |
| code => " |
| if event.get('closedLoopAlarmEnd').to_s.to_i(10) > 9999999999999 |
| event.set('closedLoopAlarmEnd', event.get('closedLoopAlarmEnd').to_s.to_i(10) / 1000) |
| else |
| event.set('closedLoopAlarmEnd', event.get('closedLoopAlarmEnd').to_s.to_i(10)) |
| end |
| " |
| } |
| date { |
| match => [ "closedLoopAlarmEnd", UNIX_MS ] |
| target => "closedLoopAlarmEnd" |
| } |
| |
| } |
| |
| |
| # |
| # Notification time are expressed under the form "yyyy-MM-dd HH:mm:ss", which |
| # is close to ISO8601, but lacks of T as spacer: "yyyy-MM-ddTHH:mm:ss" |
| # |
| if [notificationTime] { |
| mutate { |
| gsub => [ "notificationTime", " ", "T" ] |
| } |
| date { |
| match => [ "notificationTime", ISO8601 ] |
| target => "notificationTime" |
| } |
| } |
| |
| |
| # |
| # Renaming some fields for readability |
| # |
| if [AAI][generic-vnf.vnf-name] { |
| mutate { |
| add_field => { "vnfName" => "%{[AAI][generic-vnf.vnf-name]}" } |
| } |
| } |
| if [AAI][generic-vnf.vnf-type] { |
| mutate { |
| add_field => { "vnfType" => "%{[AAI][generic-vnf.vnf-type]}" } |
| } |
| } |
| if [AAI][vserver.vserver-name] { |
| mutate { |
| add_field => { "vmName" => "%{[AAI][vserver.vserver-name]}" } |
| } |
| } |
| if [AAI][complex.city] { |
| mutate { |
| add_field => { "locationCity" => "%{[AAI][complex.city]}" } |
| } |
| } |
| if [AAI][complex.state] { |
| mutate { |
| add_field => { "locationState" => "%{[AAI][complex.state]}" } |
| } |
| } |
| |
| |
| # |
| # Adding some flags to ease aggregation |
| # |
| if [closedLoopEventStatus] =~ /(?i)ABATED/ { |
| mutate { |
| add_field => { "flagAbated" => "1" } |
| } |
| } |
| if [notification] =~ /^.*?(?:\b|_)FINAL(?:\b|_).*?(?:\b|_)FAILURE(?:\b|_).*?$/ { |
| mutate { |
| add_field => { "flagFinalFailure" => "1" } |
| } |
| } |
| |
| |
| if "error" not in [tags] { |
| # |
| # Creating data for a secondary index |
| # |
| clone { |
| clones => [ "event-cl-aggs" ] |
| add_tag => [ "event-cl-aggs" ] |
| } |
| |
| if "event-cl-aggs" in [tags] { |
| # |
| # we only need a few fields for aggregations; remove all fields from clone except : |
| # vmName,vnfName,vnfType,requestID,closedLoopAlarmStart, closedLoopControlName,closedLoopAlarmEnd,abated,nbrDmaapevents,finalFailure |
| # |
| prune { |
| whitelist_names => ["^@.*$","^topic$","^type$","^tags$","^flagFinalFailure$","^flagAbated$","^locationState$","^locationCity$","^vmName$","^vnfName$","^vnfType$","^requestID$","^closedLoopAlarmStart$","^closedLoopControlName$","^closedLoopAlarmEnd$","^target$","^target_type$","^triggerSourceName$","^policyScope$","^policyName$","^policyVersion$"] |
| } |
| |
| } |
| } |
| } |
| |
| output { |
| stdout { |
| codec => rubydebug { metadata => true } |
| } |
| |
| if "error" in [tags] { |
| elasticsearch { |
| codec => "json" |
| hosts => ["${elasticsearch_base_url}"] |
| user => "${LOGSTASH_USR}" |
| password => "${LOGSTASH_PWD}" |
| index => "errors-%{+YYYY.MM.DD}" |
| doc_as_upsert => true |
| } |
| |
| } else if "event-cl-aggs" in [tags] { |
| elasticsearch { |
| codec => "json" |
| hosts => ["${elasticsearch_base_url}"] |
| user => "${LOGSTASH_USR}" |
| password => "${LOGSTASH_PWD}" |
| document_id => "%{requestID}" |
| index => "events-cl-%{+YYYY.MM.DD}" # creates daily indexes for control loop |
| doc_as_upsert => true |
| action => "update" |
| } |
| |
| } else { |
| elasticsearch { |
| codec => "json" |
| hosts => ["${elasticsearch_base_url}"] |
| user => "${LOGSTASH_USR}" |
| password => "${LOGSTASH_PWD}" |
| index => "events-raw-%{+YYYY.MM.DD}" # creates daily indexes |
| doc_as_upsert => true |
| } |
| } |
| } |