From c9d484e7971bae7908bcb763ee6499baa053c3cc Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 29 May 2013 14:43:44 -0700
Subject: [PATCH] Handle multiline Logstash events per file.

* modules/openstack_project/files/logstash/log-pusher.py: Add a filename
field to logstash events that can be used to associate multiline events
in files to their appropriate parents in the same file.

* modules/openstack_project/templates/logstash/indexer.conf.erb: Add
stream_identities to the mutliline filters that use the source host and
file name to determine relationships between mutliline events.

Change-Id: Ia325c0e1257131ab1b721c4df8f70f6bea1d0b99
Reviewed-on: https://review.openstack.org/30953
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
---
 modules/openstack_project/files/logstash/log-pusher.py        | 1 +
 modules/openstack_project/templates/logstash/indexer.conf.erb | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/modules/openstack_project/files/logstash/log-pusher.py b/modules/openstack_project/files/logstash/log-pusher.py
index a613f90a7f..8b04810e7a 100644
--- a/modules/openstack_project/files/logstash/log-pusher.py
+++ b/modules/openstack_project/files/logstash/log-pusher.py
@@ -133,6 +133,7 @@ class LogRetriever(threading.Thread):
 
     def _parse_fields(self, event):
         fields = {}
+        fields["filename"] = self.filename
         fields["build_name"] = event.get("name", "UNKNOWN")
         fields["build_status"] = event["build"].get("status", "UNKNOWN")
         fields["build_number"] = event["build"].get("number", "UNKNOWN")
diff --git a/modules/openstack_project/templates/logstash/indexer.conf.erb b/modules/openstack_project/templates/logstash/indexer.conf.erb
index 3cc97a4750..0adf897f4a 100644
--- a/modules/openstack_project/templates/logstash/indexer.conf.erb
+++ b/modules/openstack_project/templates/logstash/indexer.conf.erb
@@ -32,6 +32,7 @@ filter {
     negate => true
     pattern => "^%{DATESTAMP} \|"
     what => "previous"
+    stream_identity => "%{@source_host}.%{filename}"
   }
   multiline {
     type => "jenkins"
@@ -39,6 +40,7 @@ filter {
     negate => true
     pattern => "^%{DATESTAMP} "
     what => "previous"
+    stream_identity => "%{@source_host}.%{filename}"
   }
   grok {
     type => "jenkins"