After being exposed to Logstash in my current role, I thought I would share with you what I think Logstash should be, and maybe I don't know enough about the product, but the focus should be in making the product better.
This is perhaps one of the biggest areas I can see for improvement in regards to Logstash. If you have a complex log, this becomes a task of days/weeks rather than simple hours. If you are reading a simple HTTP log, that is pretty straight forward. Testing of the configuration is a complex array of involvement of deleting elastic search data, resetting the feeder and running the test again to see if things worked, all very time consuming work, just to check a simple configuration, and whether or not the configuration is going to work or not.
Ideally you would have a configuration that you could either run the specific rule again the data, and a simple output to check that the data output was correct.
This is where I would probably like to suggest some enhancements :
Ability for a webinterface for the creation of logstash rules. i.e you have a string of a logfile and you just highlight the bits that you want, and it automatically determines the configuration. A simple click test of the entire configuration against a set of data, then you know you have the rules right.
The ability to rerun new matching rules against old data. Sometimes you don't log everything, and would be good to have the ability to rerun a new rule against old data.
Anyhow, thought would just put up some words for thought.