Skip to content

Instantly share code, notes, and snippets.

@cdenneen

cdenneen/gist:6167467

Last active December 20, 2015 17:19
Show Gist options
  • Save cdenneen/6167467 to your computer and use it in GitHub Desktop.
Save cdenneen/6167467 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
filter {
mutate {
type => json
gsub => [
"datetime", "[ \t]$", "",
"process", "[ \t]{2,}", "",
"area", "[ \t]{2,}", "",
"category", "[ \t]{2,}", "",
"level", "[ \t]{2,}", ""
]
}
multiline {
pattern => "\d\d\/\d\d\/\d\d\d\d \d\d\:\d\d\:\d\d\.\d\d\*"
what => previous
}
date {
match => [ "datetime", "MM/dd/YYYY HH:mm:ss.SS", "MM/dd/YYYY HH:mm:ss.SS*" ]
}
mutate {
type => json
rename => [ "message", "@message" ]
add_tag => "%{app}"
add_tag => "%{tags}"
}
mutate {
remove => [ "SourceModuleName", "SourceModuleType", "EventReceivedTime", "tags", "app", "datetime" ]
}
}
@cdenneen
Copy link
Author

cdenneen commented Aug 6, 2013 

filter {
  mutate {
    type => json
    gsub => [
      "datetime", "[ \t]$", "",
      "process", "[ \t]{2,}", "",
      "area", "[ \t]{2,}", "",
      "category", "[ \t]{2,}", "",
      "level", "[ \t]{2,}", ""
    ]
  }
  multiline {
    pattern => "\d\d\/\d\d\/\d\d\d\d \d\d\:\d\d\:\d\d\.\d\d\*"
    what => previous
  }
  date {
    match => [ "datetime", "MM/dd/YYYY HH:mm:ss.SS" ]
  }
  date {
    match => [ "datetime", "MM/dd/YYYY HH:mm:ss.SS*" ]
    add_field => [ "extraline", "true" ]
  }
  mutate {
    type => json
    rename => [ "message", "@message" ]
    add_tag => "%{app}"
    add_tag => "%{tags}"
  }
  mutate {
    remove => [ "SourceModuleName", "SourceModuleType", "EventReceivedTime", "tags", "app", "datetime" ]
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment