alexanderilyin/-

## -
filter {

  if [type] == 'php-errors-json' {
          json {
            source => 'message'
            remove_field => '[message]'
          }
         date {
             match        => [ "[timestamp]", "UNIX" ]
             target       => "@timestamp"
             remove_field => "[timestamp]"
         }

  } else if [type] == 'php-errors-plain' {

     # Time prefix appears on each line
     multiline {
         pattern => "(^Stack trace:|^#\d+|^\s+)"
         what    => "previous"
     }

     # Workaround for tags _grokparsefailure with multiline because (?m) didn't help
     mutate {
         gsub => [
             'message', "\n", " ",
             'message', "\r", " "
         ]
     }

     grok {
         match => [ "message", "\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} (?<timezone>%{TZ}|%{WORD}/%{WORD})\] PHP %{DATA:level}\:\s+%{GREEDYDATA:error} in (?<filename>%{UNIXPATH}|Unknown|Command line code) on line %{NUMBER:line}" ]
         add_field    => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{timezone}" }
         add_tag      => [ "%{level}" ]
         remove_field => [ "day", "month", "year", "time", "timezone"]
     }

     date {
         match        => [ "timestamp" , "dd-MMM-yyyy HH:mm:ss ZZZ", "yyyy-MM-dd HH:mm:ss" ]
         target       => "@timestamp"
         remove_field => "timestamp"
     }

     # Beautify
     mutate {
         uppercase => [ "level" ]
         lowercase => [ "tags" ]
         gsub      => [
             "tags",  " ", "_",
             "level", " ", "_"
         ]
     }
    }

}
	filter {

	if [type] == 'php-errors-json' {
	json {
	source => 'message'
	remove_field => '[message]'
	}
	date {
	match => [ "[timestamp]", "UNIX" ]
	target => "@timestamp"
	remove_field => "[timestamp]"
	}

	} else if [type] == 'php-errors-plain' {

	# Time prefix appears on each line
	multiline {
	pattern => "(^Stack trace:\|^#\d+\|^\s+)"
	what => "previous"
	}

	# Workaround for tags _grokparsefailure with multiline because (?m) didn't help
	mutate {
	gsub => [
	'message', "\n", " ",
	'message', "\r", " "
	]
	}

	grok {
	match => [ "message", "\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} (?<timezone>%{TZ}\|%{WORD}/%{WORD})\] PHP %{DATA:level}\:\s+%{GREEDYDATA:error} in (?<filename>%{UNIXPATH}\|Unknown\|Command line code) on line %{NUMBER:line}" ]
	add_field => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{timezone}" }
	add_tag => [ "%{level}" ]
	remove_field => [ "day", "month", "year", "time", "timezone"]
	}

	date {
	match => [ "timestamp" , "dd-MMM-yyyy HH:mm:ss ZZZ", "yyyy-MM-dd HH:mm:ss" ]
	target => "@timestamp"
	remove_field => "timestamp"
	}

	# Beautify
	mutate {
	uppercase => [ "level" ]
	lowercase => [ "tags" ]
	gsub => [
	"tags", " ", "_",
	"level", " ", "_"
	]
	}
	}

	}