cdgraff/gist:8578424

## gistfile1.txt
input {
       	file {
              	path => "/var/log/icecast/access.*"
                type => "icecast"
                start_position=>"beginning" # this be to import old logs
        }
}

filter {
	if [type] == "icecast" {
		grok {
			match => { "message" => "%{COMBINEDAPACHELOG} %{NUMBER:duration}" }
		}
		# this part is important to enable correct filters, as numbers, by default all grok result come as Strings
		mutate {
		      convert => [ "bytes" ,"integer" ]
		      convert => [ "response", "integer" ]
		      convert => [ "duration", "integer" ]
		}

		date {
			match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
			target => "@timestamp"
		}

		if [auth] == "-" {
			geoip {
			      source => "clientip"
			      target => "geoip"
			      # Can download from here: http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
			      database => "/etc/logstash/GeoLiteCity.dat"
			      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
			      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
			}

			mutate {
			      convert => [ "[geoip][coordinates]", "float"]
			}

			if [agent] != "-" and [agent] != "" {
				useragent {
					source => "agent"
					target => "ua"
		                        add_tag => [ "UA" ]
				}
			}
	                if "UA" in [tags] {
         	               if [device] == "Other" { mutate { remove_field => "device" } }
         	               if [name]   == "Other" { mutate { remove_field => "name" } }
         	               if [os]     == "Other" { mutate { remove_field => "os" } }
         	       }
		} else {
			drop { }
		}

	}
}

output{
       	elasticsearch {
                host => "elasticsearch.server.com"
        }
}
	input {
	file {
	path => "/var/log/icecast/access.*"
	type => "icecast"
	start_position=>"beginning" # this be to import old logs
	}
	}

	filter {
	if [type] == "icecast" {
	grok {
	match => { "message" => "%{COMBINEDAPACHELOG} %{NUMBER:duration}" }
	}
	# this part is important to enable correct filters, as numbers, by default all grok result come as Strings
	mutate {
	convert => [ "bytes" ,"integer" ]
	convert => [ "response", "integer" ]
	convert => [ "duration", "integer" ]
	}

	date {
	match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
	target => "@timestamp"
	}

	if [auth] == "-" {
	geoip {
	source => "clientip"
	target => "geoip"
	# Can download from here: http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
	database => "/etc/logstash/GeoLiteCity.dat"
	add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
	add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
	}

	mutate {
	convert => [ "[geoip][coordinates]", "float"]
	}

	if [agent] != "-" and [agent] != "" {
	useragent {
	source => "agent"
	target => "ua"
	add_tag => [ "UA" ]
	}
	}
	if "UA" in [tags] {
	if [device] == "Other" { mutate { remove_field => "device" } }
	if [name] == "Other" { mutate { remove_field => "name" } }
	if [os] == "Other" { mutate { remove_field => "os" } }
	}
	} else {
	drop { }
	}

	}
	}

	output{
	elasticsearch {
	host => "elasticsearch.server.com"
	}
	}