Merge pull request #480 from wiibaa/output-mails

Allow @message, @source etc in match for email output
2025-04-24 06:37:19 -04:00 · 2013-05-28 23:59:03 -07:00 · 2013-05-28 23:59:03 -07:00 · 86dc8ba4cc
commit 86dc8ba4cc
parent 4f2316c9d8 655f1521ac
3 changed files with 68 additions and 5 deletions
--- a/2
+++ b/2
@ -11,6 +11,8 @@

  ## outputs
  - feature: irc: add messages_per_second tunable (LOGSTASH-962)
+  - bugfix: emails: restored initial really useful documentation
+  - improvement: emails: allow @message, @source, @... in match (LOGSTASH-826, LOGSTASH-823) 

 1.1.12 (May 7, 2013)
  ## filters
--- a/lib/logstash/outputs/email.rb
+++ b/lib/logstash/outputs/email.rb
@ -1,7 +1,40 @@
 require "logstash/outputs/base"
 require "logstash/namespace"

-
+# https://github.com/mikel/mail
+# supports equal(default), not equal(!), greater than(>), less than(<), greater than or equal(>=), less than or equal(<=), contains(*), does not contain(!*)
+# you must provide a matchName - which is the key.  Then provide your query values - again in key value pairs, separated by a ',' in the value spot.
+# You can say this : 
+# [ "response errors", "response,501,,or,response,301" ] 
+# I hate making requirements like this but this is the format that is the most flexible for making fine selections over data. 
+# NOTE: In the above example we are using just an equality test - so the two values must be exact for matches to be made. You must provide an AND/OR block 
+# between conditions so we know how to deal with them.  Please see below for an example where you wanted an AND instead of the OR default - this would require both to be valid. 
+# [ "response errors", "response,501,,and,response,301" ] 
+# as you can see you can just seperate the Operator logic with a blank key and the operator of your liking - AND/OR 
+# IMPORTANT : you MUST provide a "matchName". This is so I can easily be able to provide a label of sorts for the alert.  
+# In addition, we break after we find  the first valid match. 
+#
+#   email {
+#        tags => [ "sometag" ]
+#        match => [ "response errors", "response,501,,or,response,301",
+#                   "multiple response errors", "response,501,,and,response,301" ] 
+#        to => "main.contact@domain.com"
+#        from => "alert.account@domain.com" # default: logstash.alert@nowhere.com
+#        cc => "" # provide additional recipients
+#        options => [ "smtpIporHost", "smtp.gmail.com",
+#                     "port", "587",
+#                     "domain", "yourDomain", # optional
+#                     "userName", "yourSMTPUsername", 
+#                     "password", "PASS", 
+#                     "starttls", "true",
+#                     "authenticationType", "plain",
+#                     "debug", "true" # optional
+#                   ]
+#        via => "smtp" # or pop or sendmail
+#        subject => "Found '%{matchName}' Alert on %{@source_host}"
+#        body => "Here is the event line %{@message}"
+#        htmlbody => "<h2>%{matchName}</h2><br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>"
+#    }
 class LogStash::Outputs::Email < LogStash::Outputs::Base

  config_name "email"
@ -161,8 +194,8 @@ class LogStash::Outputs::Email < LogStash::Outputs::Base
            @logger.error("Operator Provided Is Not Found, Currently We Only Support AND/OR Values! - defaulting to OR")
          end
        else
-          hasField = event.fields.has_key?(field)
-          @logger.debug("Does Event Contain Field - ", :hasField => hasField)
+          hasField = event[field]
+          @logger.debug? and @logger.debug("Does Event Contain Field - ", :hasField => hasField)
          isValid = false
          # if we have maching field and value is wildcard - we have a success
          if hasField
@ -170,8 +203,9 @@ class LogStash::Outputs::Email < LogStash::Outputs::Base
              isValid = true
            else
              # we get an array so we need to loop over the values and find if we have a match
-              eventFieldValues = event.fields.fetch(field)
-              @logger.debug("Event Field Values - ", :eventFieldValues => eventFieldValues)
+              eventFieldValues = event[field]
+              @logger.debug? and @logger.debug("Event Field Values - ", :eventFieldValues => eventFieldValues)
+              eventFieldValues = [eventFieldValues] if not eventFieldValues.respond_to?(:each)
              eventFieldValues.each do |eventFieldValue|
                isValid = validateValue(eventFieldValue, value)
                if isValid # no need to iterate any further
--- a/spec/outputs/email.rb
+++ b/spec/outputs/email.rb
@ -141,6 +141,33 @@ describe "outputs/email" do
            insist {message_observer.messages[0].body.raw_source} == "Line1\r\nLine2\r\nLine3"
        end
    end
+
+    describe  "match on @source and @message (LOGSTASH-826)" do
+        config <<-CONFIG
+        input {
+            generator {
+                message => "hello world"
+                count => 1
+                type => "generator"
+            }
+        }
+        output{
+            email {
+                to => "me@host"
+                subject => "Hello World"
+                body => "Mail body"
+                match => ["messageAndSourceMatch", "@message,*hello,,and,@source,*generator"]
+                options => ["port", #{@@port}, "authenticationType", "nil"]
+            }
+        }
+        CONFIG
+
+        agent do
+            insist {message_observer.messages.size} == 1
+            insist {message_observer.messages[0].subject} == "Hello World"
+            insist {message_observer.messages[0].body.raw_source} == "Mail body"
+        end
+    end
 end