Introduce the dissect library

[jakelandis]

The dissect library will be used for the ingest node as an alternative
to Grok to split a string based on a pattern. Dissect differs from
Grok such that regular expressions are not used to split the string.
Note - Regular expressions are used during construction of the
objects, but not in the hot path.

A dissect pattern takes the form of: '%{a} %{b},%{c}' which is
composed of 3 keys (a,b,c) and two delimiters (space and comma).
This dissect pattern will match a string of the form: 'foo bar,baz'
and will result a key/value pairing of 'a=foo, b=bar, and c=baz'.
See the comments in DissectParser for a full explanation.

This commit does not include the ingest node processor that will consume
it. However, the consumption should be a trivial mapping between the
key/value pairing returned by the parser and the key/value pairing
needed for the IngestDocument.

---

Note to reviewer(s) -

• The the ingest node processor that consumes this will be submitted soon.
• I have not performed performance testing/optimization on this yet, however, I am pretty confident that as-is it will be faster then Grok, but will get some numbers to back that claim.
• Functionality is based on the Logstash dissect plugin, however (mostly) due to tight coupling with Logstash specific code this implementation does not share any code with Logstash.
• The Logstash unit tests have been manually ported here as 'testLogstashSpecs'. The tests most generally passed without any modification, however there are some edge case differences between the implementations that may require further discussion. The test has comments to the differences.

cc: @guyboertje @ph

[elasticmachine]

Pinging @elastic/es-core-infra

[jakelandis]

Changing this PR to a WIP. Running some micro benchmarks shows some potential performance issue in the code, in particular with the match validation (intersection of two lists) and post processing (grouping and sorting).

[jakelandis]

I have addressed the performance bottleneck and updated this PR with the 7.0 Dissect behavior (Beats and Logstash will make corresponding changes to support the same specification for 7.0). I will need to create a small fork of this for the 6.x version to better match Beats and Logstash 6.x behavior.

I ran some micro benchmarks comparing this implementation vs. (ingest node) grok. For parsing a basic syslog and apache log line, this is ~ 3x-5x faster. The score is number of times parsed per second (higher is better). Full details here: https://gist.github.com/jakelandis/663306337e370df9c8c0cc6d5a1f9104

# Run complete. Total time: 00:22:02

Benchmark                           Mode  Cnt       Score      Error  Units
DissectBenchmark.dissectApacheLog  thrpt   10  423663.010 ± 2727.341  ops/s
DissectBenchmark.dissectSysLog     thrpt   10  862173.761 ± 8636.887  ops/s
DissectBenchmark.grokApacheLog     thrpt   10   91178.469 ± 2172.043  ops/s
DissectBenchmark.grokSysLog        thrpt   10  300408.741 ± 3586.303  ops/s

I am not sure if this a meaningful difference in the context of the ingest node processing, and will run similar macro benchmarks against ingest node pipelines (on the Dissect Processor PR).

[jakelandis]

Removed the WIP. This is ready for review.

@guyboertje - can you please validate the main logic (there is a test that mirrors logstash specs)
@rjernst - could you also review

[jakelandis]

I removed the 6.5.0 label from this PR, since the 6.5.0 will require a fork of this PR that implements slightly different rules. After speaking with @ph (beats) and @guyboertje (logstash) the 7.x goal is for stricter compliance to a newly formalized dissect specification. The 6.x goal is for approximate like for like behavior between the 3 products.

This means that the 7.x will be a breaking change to the 6.x, hence the breaking tag.

Specifically, the breaking change will be:

• disambiguate the meaning of ? - 6.x it can be either a named skip key or the key of the reference (indirect) key/value pair (? paired with an &)
  • ? has been replaced by * for key/value reference pairing (formerly ? and & pairs, now * and & pairs).
  • key/value reference pairings * and & (formerly ? and &) are required to come in pairs.

EDIT: After further discussion, this will NOT be a breaking change and will be backported as-is to 6.x. IGNORE THE ABOVE COMMENT.

[rjernst]

This looks ok from the build side. One general comment is I see a lot of package private methods. If they need to be package private for tests that is fine, but please note this with a comment like // pkg private for tests or something like that. Otherwise, please use the least visibility possible.

[jakelandis]

@rjernst - thanks , will add package private comments (or reduce scope if possible)

@guyboertje - could you please review ?

[guyboertje]

LGTM

[jakelandis]

@guyboertje @rjernst thanks!

reduced scope where possible in 9e43ba8

will merge when CI is green.

[jakelandis]

Jenkins test this please

[jakelandis]

Removing the breaking label ... after further discussion it preferred to have a minor difference between ingest/Logstash/Beats in the 6.x instead of a breaking change in ES.

I will backport this PR as-is to 6.x (ignore any comments above about breaking changes).