forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 60
/
format_index_string.rb
83 lines (71 loc) · 1.89 KB
/
format_index_string.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
def concurrency
:shared
end
def register(params)
require 'time'
@prefix = params["prefix"]
_prefix_env = params["prefix_env"]
if @prefix.nil? && !_prefix_env.nil?
@prefix = ENV[_prefix_env]
end
if [email protected]? && @prefix.empty?
@prefix = params["prefix_default"]
end
@suffix = params["suffix"]
_suffix_env = params["suffix_env"]
if @suffix.nil? && !_suffix_env.nil?
@suffix = ENV[_suffix_env]
end
if [email protected]? && @suffix.empty?
@suffix = params["suffix_default"]
end
_midfix_fields = params["midfix_fields"]
if !_midfix_fields.nil? then
if _midfix_fields.is_a?(Array) then
@midfix = _midfix_fields
else
@midfix = Array.new
if !_midfix_fields.empty?
@midfix.push(_midfix_fields)
end
end
else
@midfix = Array.new
end
@target = params["target"]
end
def filter(event)
event_time = event.get("[@timestamp]")
if !event_time.nil? then
tstamp = Time.at(event_time.to_i).utc
else
tstamp = Time.now.utc
end
prefix_resolved = @prefix.delete_suffix('*')
if prefix_resolved[-1].count("^a-z0-9").zero? then
suffix_separator = ''
else
suffix_separator = prefix_resolved[-1]
prefix_resolved = prefix_resolved[0..-2]
end
suffix_resolved = @suffix
if parts = @suffix.scan(/(%{([^}]+)})/) then
if parts.kind_of?(Array) then
parts.each do |pair|
if pair.kind_of?(Array) and (pair.length > 0) then
suffix_resolved = suffix_resolved.sub(pair[0], tstamp.strftime(pair[1]))
end
end
end
end
midfix_first = nil
@midfix.each do |field|
midfix_first = event.get("#{field}")
if !midfix_first.nil? && !midfix_first.empty?
midfix_first = '_' + midfix_first
break
end
end
event.set("#{@target}", (prefix_resolved + String(midfix_first) + suffix_separator + suffix_resolved).downcase)
[event]
end