Sample logstash.conf

logstash.conf

input {
  beats {
    port => "5555"
  }
}

filter {
  if [source_type] == "access" {
    grok {
      patterns_dir => [ "/home/user/logstash/patterns"]
      match => { "message" => "%{NGINX_ACCESS}" }
      add_tag => [ "nginx_access" ]
    }
    grok {
      match => { "request" => "^/[^/]+/[^/]+/(?<route>\w+/\w+)"}
    }
    mutate {
      gsub => [
        # replace all forward slashes with underscore
        "route", "/", "_",
      ]
    }
    date {
      match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
      remove_field => [ "timestamp", "message" ]
    }
    ruby {
      code => "event.set('req_time_ms', event.get('response_time').to_f * 1000)"
    }
    metrics {
      timer => [ "api.%{app_id}.response_time_ms", "%{req_time_ms}", "api.%{app_id}.route.%{route}.response_time_ms", "%{req_time_ms}" ]
      meter => [ "api.%{app_id}.request.%{response}", "api.%{app_id}.route.%{route}.request.%{response}" ]
      flush_interval => 10
      percentiles => [1, 5, 50, 90, 95, 99]
      add_tag => "metric"
    }
  }

  if [source_type] == "streamline" {
    json {
      source => "message"
    }
    date {
      match => [ "time", "UNIX" ]
      remove_field => [ "time", "message" ]
    }
    metrics {
      meter => [ "api.%{app_id}.streamline.%{success_type}.%{response_status}" ]
      timer => [ "api.%{app_id}.streamline.response_time_ms", "%{duration}" ]
      flush_interval => 10
      percentiles => [1, 5, 50, 90, 95, 99]
      add_tag => "metric"
    }
  }
}
output {
  if "metric" in [tags] {
    stdout {
      codec => "rubydebug"
    }
    graphite {
      host => "10.2.15.155"
      fields_are_metrics => true
      exclude_metrics => [ "%{[^}]+}", "message", "tags" ]
    }
  }
}