def it_captures_named_fields_even_if_the_whole_text_matches(): pr = PatternRepo(['patterns/']) g = LineGrokker('%{DATE_EU:stimestamp}', pr) subject = g.grok('2011/01/01') print 'subject: %s' % subject expect(subject["stimestamp"]).to_equal("2011/01/01")
def it_groks_patterns(): pr = PatternRepo(['patterns/']) g = LineGrokker('(?<timestamp>%{DATE_EU} %{TIME})', pr) subject = g.grok('fancy 2001-02-03 04:05:06') print 'subject: %s' % subject expect(subject["timestamp"]).to_equal("2001-02-03 04:05:06")
def it_uses_named_captures(): pr = PatternRepo(['patterns/']) g = LineGrokker('(?<foo>\w+)', pr) subject = g.grok('hello world') print 'subject: %s' % subject expect(subject["foo"]).to_equal("hello")
def it_allows_dashes_in_capture_names(): # not implemented pr = PatternRepo(['patterns/']) g = LineGrokker('%{WORD:foo-bar}', pr) subject = g.grok('hello world') print 'subject: %s' % subject expect(subject["foo-bar"]).to_equal("hello")
def it_keep_empty_fields(): pr = PatternRepo(['patterns/']) g = LineGrokker('1=%{WORD:foo1} *(2=%{WORD:foo2})?', pr) subject = g.grok('1=test') expect(subject).has_element("foo1") # Since 'foo2' was not captured, it must not be present in the event. expect(subject).has_element("foo2") expect(subject["foo2"]).to_equal(None)
def it_drops_empty_fields_by_default(): # not implemented pr = PatternRepo(['patterns/']) g = LineGrokker('1=%{WORD:foo1} *(2=%{WORD:foo2})?', pr) subject = g.grok('1=test') expect(subject).has_element("foo1") # Since 'foo2' was not captured, it must not be present in the event. expect(subject).not_has_element("foo2")
def it_groks_simple_syslog_line(): pr = PatternRepo(['patterns/']) g = LineGrokker('%{SYSLOGLINE}', pr) subject = g.grok('Mar 16 00:01:25 evita postfix/smtpd[1713]: connect from camomile.cloud9.net[168.100.1.3]') print 'subject: %s' % subject expect(subject["logsource"]).to_equal("evita") expect(subject["timestamp"]).to_equal("Mar 16 00:01:25") expect(subject["message"]).to_equal("connect from camomile.cloud9.net[168.100.1.3]") expect(subject["program"]).to_equal("postfix/smtpd") expect(subject["pid"]).to_equal("1713")
def it_groks_ietf_5424_syslog_line(): pr = PatternRepo(['patterns/']) g = LineGrokker('%{SYSLOG5424LINE}', pr) subject = g.grok('<191>1 2009-06-30T18:30:00+02:00 paxton.local grokdebug 4123 - [id1 foo=\"bar\"][id2 baz=\"something\"] Hello, syslog.') print 'subject: %s' % subject expect(subject["syslog5424_pri"]).to_equal("<191>") expect(subject["syslog5424_ver"]).to_equal("1") expect(subject["syslog5424_ts"]).to_equal("2009-06-30T18:30:00+02:00") expect(subject["syslog5424_host"]).to_equal("paxton.local") expect(subject["syslog5424_app"]).to_equal("grokdebug") expect(subject["syslog5424_proc"]).to_equal("4123") expect(subject["syslog5424_msgid"]).to_equal(None) expect(subject["syslog5424_sd"]).to_equal("[id1 foo=\"bar\"][id2 baz=\"something\"]") expect(subject["syslog5424_msg"]).to_equal("Hello, syslog.")