Created
April 10, 2017 07:29
-
-
Save runningman84/d8e7c254b6c7ccf3094a556029ff346e to your computer and use it in GitHub Desktop.
sensu logstash filter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sensu filter | |
| json { | |
| id => "filter.sensu.json.1" | |
| source => message | |
| target => "sensu" | |
| add_tag => "sensu_found" | |
| } | |
| if ("sensu_found" in [tags]) { | |
| mutate { | |
| id => "filter.sensu.mutate.1" | |
| add_field => ["short_message", "%{[sensu][message]}"] | |
| replace => { "severity" => "%{[sensu][level]}" } | |
| remove_field => [ "[sensu][level]", "[sensu][message]" ] | |
| } | |
| # 2015-12-11T14:05:07.154701+0000 | |
| date { | |
| id => "filter.sensu.date.1" | |
| match => [ "[sensu][timestamp]", "ISO8601" ] | |
| locale => "Locale.US" | |
| add_tag => ["timestamp_changed"] | |
| remove_field => [ "[sensu][timestamp]" ] | |
| } | |
| if([sensu][payload][check]) { | |
| mutate { | |
| id => "filter.sensu.mutate.2" | |
| rename => ["[sensu][payload][client]", "sensu_client"] | |
| rename => ["[sensu][payload][check][duration]", "sensu_check_duration"] | |
| rename => ["[sensu][payload][check][interval]", "sensu_check_interval"] | |
| rename => ["[sensu][payload][check][name]", "sensu_check_name"] | |
| rename => ["[sensu][payload][check][command]", "sensu_check_command"] | |
| rename => ["[sensu][payload][check][type]", "sensu_check_type"] | |
| rename => ["[sensu][payload][check][status]", "sensu_check_status"] | |
| rename => ["[sensu][payload][check][output]", "sensu_check_output"] | |
| rename => ["[sensu][payload][check][occurrences]", "sensu_check_occurrences"] | |
| convert => [ "sensu_check_duration", "float" ] | |
| convert => [ "sensu_check_interval", "integer" ] | |
| remove_field => [ "[sensu][payload]" ] | |
| } | |
| } | |
| if([sensu][event][check]) { | |
| mutate { | |
| id => "filter.sensu.mutate.3" | |
| convert => [ "[sensu][event][check][duration]", "float" ] | |
| convert => [ "[sensu][event][check][interval]", "integer" ] | |
| rename => ["[sensu][event][client][name]", "sensu_client"] | |
| rename => ["[sensu][event][check][duration]", "sensu_check_duration"] | |
| rename => ["[sensu][event][check][interval]", "sensu_check_interval"] | |
| rename => ["[sensu][event][check][name]", "sensu_check_name"] | |
| rename => ["[sensu][event][check][command]", "sensu_check_command"] | |
| rename => ["[sensu][event][check][type]", "sensu_check_type"] | |
| rename => ["[sensu][event][check][status]", "sensu_check_status"] | |
| rename => ["[sensu][event][check][output]", "sensu_check_output"] | |
| rename => ["[sensu][event][check][occurrences]", "sensu_check_occurrences"] | |
| rename => ["[sensu][event][check][history]", "sensu_check_history"] | |
| rename => ["[sensu][event][check][total_state_change]", "sensu_check_total_state_change"] | |
| rename => ["[sensu][event][id]", "sensu_event_id"] | |
| rename => ["[sensu][event][occurrences]", "sensu_event_occurrences"] | |
| convert => [ "sensu_event_occurrences", "integer" ] | |
| convert => [ "sensu_check_duration", "float" ] | |
| convert => [ "sensu_check_interval", "integer" ] | |
| rename => ["[sensu][event][action]", "sensu_event_action"] | |
| remove_field => [ "[sensu][event]" ] | |
| } | |
| } | |
| if([sensu][check]) { | |
| mutate { | |
| id => "filter.sensu.mutate.4" | |
| rename => ["[sensu][check][name]", "sensu_check_name"] | |
| rename => ["[sensu][check][command]", "sensu_check_command"] | |
| remove_field => [ "[sensu][check]" ] | |
| } | |
| } | |
| if([sensu][action]) { | |
| mutate { | |
| id => "filter.sensu.mutate.5" | |
| rename => ["[sensu][action]", "sensu_action"] | |
| } | |
| } | |
| if([sensu][payload][name] and [sensu][payload][command]) { | |
| mutate { | |
| id => "filter.sensu.mutate.6" | |
| rename => ["[sensu][payload][name]", "sensu_check_name"] | |
| rename => ["[sensu][payload][command]", "sensu_check_command"] | |
| remove_field => [ "[sensu][payload]" ] | |
| } | |
| } | |
| # remove output from metrics | |
| if ([sensu_check_type] == "metric" and [sensu_check_output]) { | |
| mutate { | |
| id => "filter.sensu.mutate.7" | |
| remove_field => [ "[sensu_check_output]" ] | |
| } | |
| } | |
| if([sensu][extension][name] and [sensu][extension][type]) { | |
| mutate { | |
| id => "filter.sensu.mutate.8" | |
| rename => ["[sensu][extension][name]", "sensu_extension_name"] | |
| rename => ["[sensu][extension][type]", "sensu_extension_type"] | |
| remove_field => [ "[sensu][extension]" ] | |
| } | |
| if([sensu][output] and [sensu][status]) { | |
| mutate { | |
| id => "filter.sensu.mutate.9" | |
| rename => ["[sensu][output]", "sensu_extension_output"] | |
| rename => ["[sensu][status]", "sensu_extension_status"] | |
| } | |
| } | |
| } | |
| # drop debug handler messages | |
| if ([sensu_extension_name] == "debug") { | |
| drop { | |
| id => "filter.sensu.drop.1" | |
| } | |
| } | |
| # drop debug handler messages | |
| if ([sensu_extension_output] == "" and [sensu_extension_status] == 0) { | |
| drop { | |
| id => "filter.sensu.drop.2" | |
| } | |
| } | |
| mutate { | |
| id => "filter.sensu.mutate.10" | |
| remove_field => [ "[sensu]" ] | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment