hacktvist/logstashfilter

## logstashfilter
filter {
       if "apache_access_json" in [tags] {

          if [useragent] != "-" and [useragent] != "" {
             useragent {
                       add_tag => [ "UA" ]
                       source => "useragent"
                       prefix => "UA-"
             }
          }

          mutate {
                 convert => ['duration', 'float']
          }

          ruby {
               code => "event['duration']/=1000000"
          }

          if [bytes] == 0 { mutate { remove_field => "[bytes]" } }
          if [urlquery]              == "" { mutate { remove_field => "urlquery" } }
          if [method]    =~ "(HEAD|OPTIONS)" { mutate { remove_field => "method" } }
          if [useragent] == "-"              { mutate { remove_field => "useragent" } }
          if [referer]   == "-"              { mutate { remove_field => "referer" } }

          if "UA" in [tags] {
             if [device] == "Other" { mutate { remove_field => "device" } }
             if [name]   == "Other" { mutate { remove_field => "name" } }
             if [os]     == "Other" { mutate { remove_field => "os" } }
          }
       }
}
	filter {
	if "apache_access_json" in [tags] {

	if [useragent] != "-" and [useragent] != "" {
	useragent {
	add_tag => [ "UA" ]
	source => "useragent"
	prefix => "UA-"
	}
	}

	mutate {
	convert => ['duration', 'float']
	}

	ruby {
	code => "event['duration']/=1000000"
	}

	if [bytes] == 0 { mutate { remove_field => "[bytes]" } }
	if [urlquery] == "" { mutate { remove_field => "urlquery" } }
	if [method] =~ "(HEAD\|OPTIONS)" { mutate { remove_field => "method" } }
	if [useragent] == "-" { mutate { remove_field => "useragent" } }
	if [referer] == "-" { mutate { remove_field => "referer" } }

	if "UA" in [tags] {
	if [device] == "Other" { mutate { remove_field => "device" } }
	if [name] == "Other" { mutate { remove_field => "name" } }
	if [os] == "Other" { mutate { remove_field => "os" } }
	}
	}
	}