jeremiahsnapp/gist:09f1fe8c4be7c5246e42

## gistfile1.txt
input {
  stdin {
    type => "stdin-type"
  }

  file {
    type => "erchef"
    path => [ "/dev-shared/logstash/*" ]
    start_position => "beginning"
  }
}

filter {
  grok {
    match => [ "message", "^(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z) +(?<host>.*) +method=(?<method>\w+); path=(?:/organizations/(?<organization_id>[^;/]+))?(?<endpoint_head>/[^;/]+)(?<endpoint_tail>[^;\?]*)(?:\?(?<http_query>[^ ]*))?; status=(?<status_code>\d+);(?: req_id=(?<req_id>[^;]+); org_name=(?<org_name>[^;]+);(?: msg=(?<msg>[^;]+);)? couchdb_groups=(?<couchdb_groups>[^;]+); couchdb_containers=(?<couchdb_containers>[^;]+); 503_mode=(?<mode_503>[^;]+); req_time=(?<req_time>[^;]+);(?: rdbms_time=(?<rdbms_time>[^;]+); rdbms_count=(?<rdbms_count>[^;]+);.*?)?(?: couchdb_time=(?<couchdb_time>[^;]+); couchdb_count=(?<couchdb_count>[^;]+);.*?)?(?: authz_time=(?<authz_time>[^;]+); authz_count=(?<authz_count>[^;]+);.*?)?(?: solr_time=(?<solr_time>[^;]+); solr_count=(?<solr_count>[^;]+);.*?)?(?: depsolver_time=(?<depsolver_time>[^;]+); depsolver_count=(?<depsolver_count>[^;]+);.*?)? user=(?<user>[^;]+);)?" ]
  }
  date {
    match => [ "timestamp", "ISO8601" ]
  }
}

output {
  stdout {
    codec => rubydebug
  }

  elasticsearch_http {
    bind_host => "127.0.0.1"
    port => "9200"
  }
}
	input {
	stdin {
	type => "stdin-type"
	}

	file {
	type => "erchef"
	path => [ "/dev-shared/logstash/*" ]
	start_position => "beginning"
	}
	}

	filter {
	grok {
	match => [ "message", "^(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z) +(?<host>.) +method=(?<method>\w+); path=(?:/organizations/(?<organization_id>[^;/]+))?(?<endpoint_head>/[^;/]+)(?<endpoint_tail>[^;\?])(?:\?(?<http_query>[^ ]))?; status=(?<status_code>\d+);(?: req_id=(?<req_id>[^;]+); org_name=(?<org_name>[^;]+);(?: msg=(?<msg>[^;]+);)? couchdb_groups=(?<couchdb_groups>[^;]+); couchdb_containers=(?<couchdb_containers>[^;]+); 503_mode=(?<mode_503>[^;]+); req_time=(?<req_time>[^;]+);(?: rdbms_time=(?<rdbms_time>[^;]+); rdbms_count=(?<rdbms_count>[^;]+);.?)?(?: couchdb_time=(?<couchdb_time>[^;]+); couchdb_count=(?<couchdb_count>[^;]+);.?)?(?: authz_time=(?<authz_time>[^;]+); authz_count=(?<authz_count>[^;]+);.?)?(?: solr_time=(?<solr_time>[^;]+); solr_count=(?<solr_count>[^;]+);.?)?(?: depsolver_time=(?<depsolver_time>[^;]+); depsolver_count=(?<depsolver_count>[^;]+);.?)? user=(?<user>[^;]+);)?" ]
	}
	date {
	match => [ "timestamp", "ISO8601" ]
	}
	}

	output {
	stdout {
	codec => rubydebug
	}

	elasticsearch_http {
	bind_host => "127.0.0.1"
	port => "9200"
	}
	}