Ingest Pipeline tester using Simulate API

[kvch]

This script is tests a single log line or multiple lines against an Ingest pipeline using the Simulate API. It creates a request and displays the response from Elasticsearch.

Usage

Usage of /tmp/go-build407861954/b001/exe/main:
  -elasticsearch string
        Elasticsearch URL (default "http://localhost:9200")
  -log string
        Single log line to test
  -logfile string
        Path to log file
  -maxbytes int
        Number of max bytes to be read (default 10485760)
  -modules string
        Path to modules (default "./modules")
  -multiline.mode string
        Multiline mode (default "before")
  -multiline.negate
        Multiline negate
  -multiline.pattern string
        Multiline pattern
  -pipeline string
        Path to pipeline
  -simulate.verbose
        Call Simulate API with verbose option
  -strict.perms
        Strict permission checking on config files (default true)
  -verbose
        Print full output of Simulate API

Finding pipelines

1. specify path to one pipeline
2. specify a directory to look for pipelines
3. specify a module/fileset pair and find its pipeline

Examples

Correct pipeline

Input pipeline: PostgreSQL/log
Input log: 2017-04-03 22:32:14.322 CEST [31225] postgres@mydb LOG: could not receive data from client: Connection reset by peer

$ go run main.go -pipeline "../../module/postgresql/log/ingest/pipeline.json" -log "2017-04-03 22:32:14.322 CEST [31225] postgres@mydb LOG:  could not receive data from client: Connection reset by peer" -verbose
{
  "docs": [
    {
      "doc": {
        "_id": "id",
        "_index": "index",
        "_ingest": {
          "timestamp": "2018-02-01T18:54:00.450Z"
        },
        "_source": {
          "@timestamp": "2017-04-03T22:32:14.322Z",
          "message": "2017-04-03 22:32:14.322 CEST [31225] postgres@mydb LOG:  could not receive data from client: Connection reset by peer",
          "postgresql": {
            "log": {
              "database": "mydb",
              "level": "LOG",
              "message": "could not receive data from client: Connection reset by peer",
              "thread_id": "31225",
              "timestamp": "2017-04-03 22:32:14.322",
              "timezone": "CEST",
              "user": "postgres"
            }
          }
        },
        "_type": "doc"
      }
    }
  ]
}

Incorrect pipeline

Input pipeline: PostgreSQL/log
Input log: 2017-04-03 22:32:14.322 [31225] postgres@mydb LOG: could not receive data from cl ient: Connection reset by peer

> $ go run main.go -path "../../module/postgresql/log/ingest/pipeline.json" \-log "2017-04-03 22:32:14.322 [31225] postgres@mydb LOG:  could not receive data f
rom client: Connection reset by peer"
{
  "docs": [
    {
      "doc": {
        "_id": "id",
        "_index": "index",
        "_ingest": {
          "timestamp": "2018-02-01T18:56:47.338Z"
        },
        "_source": {
          "error": {
            "message": "Provided Grok expressions do not match field value: [2017-04-03 22:32:14.322 [31225] postgres@mydb LOG:  could not receive data from cl
ient: Connection reset by peer]"
          },
          "message": "2017-04-03 22:32:14.322 [31225] postgres@mydb LOG:  could not receive data from client: Connection reset by peer"
        },
        "_type": "doc"
      }
    }
  ]
}

TODO

• test the tester
• test a single line
• test multiple lines from a file
• multiline handling
  • negate
  • before/after
• handle panics in case of invalid multiline pattern

Questions

• What do you think about the interface?
• Do you need more features?

[ruflin]

This is really cool as it should make testing a pipeline much easier. Having this code in Golang means it could probably also replace parts of our slow "system module tests".

For the naming of the variables / options I suggest to keep them identical to what we have in filebeat. So for multiline it is for example -multiline.match.

The PR reminded me also of #5028 from @urso

[ruflin]

Could we reuse here the logic of our multiline reader to make sure we have the exact same behaviour?

[kvch]

Done.

[urso]

💯

The difference between this and #5028 is, I wanted to run tests based on a user module/prospector configuration. Right from config file. This PR requires you to name the pipeline.json file under test. Both have slightly different use-cases, user vs. module developer. Still this command can still be used by users for very custom pipeline configurations.

A mix of both would be nice. E.g.:

• if input is pipeline json file -> use it
• I pass a directory, lookup the json file:
  • if multiple files exist, check all and output which ones fail and which ones succeed
• If I pass a modules name only -> resolved module directory and treat like directory

As one can push multiple events via SimulateAPI at once, it might be somewhat daunting to read/interpret the output. It's too easy to miss an error. Plus, for debugging purposes it's helpful to add the verbose flag to the API call (in order get collect per processor input/output). E.g. how about: - only show errored events by default (only failed documents, not all)

• have verbose flag to show all contents
• have double-verbose flag to set SimulateAPI verbose flag as wel

[urso]

this panics on invalid pattern. Let's create a somewhat user-friendly error message.

[urso]

The limit should be configurable. Think, users with very big xml documents :/

[urso]

Kinda scary considering users potentially using a 1GB test file :)

[urso]

encoding should be configurable. Especially windows users will oftentimes have utf16

[kvch]

@urso I addressed your review notes.
The CI jobs fail due to ES problems.

[urso]

error message should not say utf8