Hi All,
I have a log file which looks like this. My filter config looks like this:
filter{
if [message] =~ /(.*): (.*) - (.*)/ {
mutate { strip => [ "message" ] }
ruby {
code => '
msg = event.get("message")
path = event.get("[log][file][path]")
path = path.split("/")
puts path
site_id = path[-2]
source_id = path[-3]
matches = msg.scan(/(.*): (.*) - (.*)/)
m = matches[0]
event.set("test", m[1])
event.set("value", m[2])
event.set("site_id", site_id)
event.set("source_id", source_id)
event.set("metadata",@@metadata)
'
}
}
else if [message] =~ /^([0]\d|[1][0-2])\/([0-2]\d|[3][0-1])\/([2][01]|[1][6-9])\d{2}(\s([0-1]\d|[2][0-3])(\:[0-5]\d){1,2})(\s([AM|PM|]{2,2}))?$/ {
mutate { strip => [ "message" ] }
ruby {
init => '
@@metadata = {}
'
code => '
msg = event.get("message")
@@metadata["datetime"] = msg
'
}
}
else{
drop {}
}
}