def it_captures_named_fields_even_if_the_whole_text_matches():
pr = PatternRepo(['patterns/'])
g = LineGrokker('%{DATE_EU:stimestamp}', pr)
subject = g.grok('2011/01/01')
print 'subject: %s' % subject
expect(subject["stimestamp"]).to_equal("2011/01/01")
def it_groks_patterns():
pr = PatternRepo(['patterns/'])
g = LineGrokker('(?<timestamp>%{DATE_EU} %{TIME})', pr)
subject = g.grok('fancy 2001-02-03 04:05:06')
print 'subject: %s' % subject
expect(subject["timestamp"]).to_equal("2001-02-03 04:05:06")
def it_uses_named_captures():
pr = PatternRepo(['patterns/'])
g = LineGrokker('(?<foo>\w+)', pr)
subject = g.grok('hello world')
print 'subject: %s' % subject
expect(subject["foo"]).to_equal("hello")
def it_allows_dashes_in_capture_names():
# not implemented
pr = PatternRepo(['patterns/'])
g = LineGrokker('%{WORD:foo-bar}', pr)
subject = g.grok('hello world')
print 'subject: %s' % subject
expect(subject["foo-bar"]).to_equal("hello")
def it_keep_empty_fields():
pr = PatternRepo(['patterns/'])
g = LineGrokker('1=%{WORD:foo1} *(2=%{WORD:foo2})?', pr)
subject = g.grok('1=test')
expect(subject).has_element("foo1")
# Since 'foo2' was not captured, it must not be present in the event.
expect(subject).has_element("foo2")
expect(subject["foo2"]).to_equal(None)
def it_drops_empty_fields_by_default():
# not implemented
pr = PatternRepo(['patterns/'])
g = LineGrokker('1=%{WORD:foo1} *(2=%{WORD:foo2})?', pr)
subject = g.grok('1=test')
expect(subject).has_element("foo1")
# Since 'foo2' was not captured, it must not be present in the event.
expect(subject).not_has_element("foo2")
def it_groks_simple_syslog_line():
pr = PatternRepo(['patterns/'])
g = LineGrokker('%{SYSLOGLINE}', pr)
subject = g.grok('Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]')
print 'subject: %s' % subject
expect(subject["logsource"]).to_equal("evita")
expect(subject["timestamp"]).to_equal("Mar 16 00:01:25")
expect(subject["message"]).to_equal("connect from camomile.cloud9.net[168.100.1.3]")
expect(subject["program"]).to_equal("postfix/smtpd")
expect(subject["pid"]).to_equal("1713")
def it_groks_ietf_5424_syslog_line():
pr = PatternRepo(['patterns/'])
g = LineGrokker('%{SYSLOG5424LINE}', pr)
subject = g.grok('<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - [id1 foo=\"bar\"][id2 baz=\"something\"] Hello, syslog.')
print 'subject: %s' % subject
expect(subject["syslog5424_pri"]).to_equal("<191>")
expect(subject["syslog5424_ver"]).to_equal("1")
expect(subject["syslog5424_ts"]).to_equal("2009-06-30T18:30:00+02:00")
expect(subject["syslog5424_host"]).to_equal("paxton.local")
expect(subject["syslog5424_app"]).to_equal("grokdebug")
expect(subject["syslog5424_proc"]).to_equal("4123")
expect(subject["syslog5424_msgid"]).to_equal(None)
expect(subject["syslog5424_sd"]).to_equal("[id1 foo=\"bar\"][id2 baz=\"something\"]")
expect(subject["syslog5424_msg"]).to_equal("Hello, syslog.")
