[WIP] Introduce the GrokProcessor

[talevy]

Also moved all processor classes into a subdirectory and introduced a
ConfigException class to be a catch-all for things that can go wrong
when constructing new processors with configurations that possibly throw
exceptions. The GrokProcessor loads patterns from the resources
directory.

Running your first Grok Pipeline

1. pull changes from this PR

2. launch a single node with ingest plugin using the IngestRunner

   cd plugins/ingest
   mvn exec:java -Dexec.mainClass="IngestRunner" -Dexec.classpathScope="test"

3. Find a log file you wish to parse

   # file: logs
   83.109.8.216 [19/Jul/2015:08:13:42 +0000]
   90.149.9.302 [19/Jul/2015:08:13:44 +0000]
   ...
   

4. Create your desired pipeline in Elasticsearch

   # file: put_pipeline.py
   import requests
   requests.put("http://localhost:9200/_ingest/pipeline/my_pipeline_id", json={
   "description": "simple_pipeline",
   "processors": [{
       "grok": {
         "field": "message",
         "pattern": '%{IPORHOST:clientip} \[%{HTTPDATE:timestamp}\]'
       }
     }]
   })

5. Use the elasticsearch python client to ingest your logs

   from elasticsearch import Elasticsearch,helpers
   es = Elasticsearch()
   
   # parse line into valid json document
   def parse_file(f):
       for line in f:
           yield { 'message': line.strip() }
   
   # read `logs` file and index into elasticsearch
   with open("logs", "r") as f:
       for ok, result in helpers.streaming_bulk(es, parse_file(f), index="test", doc_type="test", params={"ingest": "my_pipeline_id"}):
           action, result = result.popitem()
           # print response
           print result

6. your documents should be parsed and ready for searching within Elasticsearch

[martijnvg]

Stream is unfortunately java8 only, since we are likely to back port ingest to 2.x too we should try to avoid using java8 only constructs and apis.

But instead of fixing this, I think we can just remove this method as it is not used for now?

[martijnvg]

This looks great! I know it is WIP, but I left a couple of comments.

[martijnvg]

the grok field can be final too

[talevy]

Debugging why this is flaky.

Value of doc.get("val") sometimes equals 123.42 and sometimes equals 123.41999816894531.

[martijnvg]

s/HashMap<String, Object> fields/Map<String, Object> fields

[talevy]

ok

[martijnvg]

Left a couple more comments. I think we should also add docs for the grok processor to the ingest.asciidoc file, that contains a minimal description & example and describes the possible named patters that can be used.

[martijnvg]

What if we just load the grok expression only from the config dir. (ES_HOME/config/ingest/grok) We just make sure that when we create the distribution we also package the the ingest config into the zip file. Instead of loading stuff from the class path we can get it via the Environment class. (check the geoip PR how it is injected there)

This has as a nice side effect that users can also define their own named grok expressions without us adding extra code.

[martijnvg]

(we just load all files in the ES_HOME/config/ingest/grok directory)

[talevy]

I am confused... currently the geoip stores the database under resources/config and falls back on using the classpath to fetch the file.

[talevy]

ok, I think I got it. I followed what jvm-example does to manage its config files. An additional assemblies task is executed in maven to load the config files into config/ingest during runtime so that this is the correct relative path from the environment: https://github.com/elastic/elasticsearch/pull/14132/files#diff-77d47a95d3d1f49700f95a7daff92e13R42

[talevy]

@martijnvg Similar to your comment about reusing the same GeoIP instance across GeoProcessors. Do you think the same should be done with Grok? As in to use the same Grok instance across all grok processors to avoid re-loading the same configs each time a processor is created?

UPDATE: NEVERMIND

[martijnvg]

I don't think we should make the patterns dir configurable? Outside the ES_HOME directory ES has insufficient permissions to read files. I think the patterns dir should always be $ES_HOME/config/ingest/grok/patterns.

[martijnvg]

I don't think the custom task isn't needed, if all resources are placed under src/main/packaging/config.

@rjernst added logic that bundles custom files that is placed in src/main/packaging into the plugin zip file: https://github.com/elastic/elasticsearch/blob/master/buildSrc/src/main/groovy/org/elasticsearch/gradle/plugin/PluginBuildPlugin.groovy#L97

[rjernst]

Yes, please use src/main/packaging!

[martijnvg]

@talevy left two minor comments, other then that LGTM.