-
Notifications
You must be signed in to change notification settings - Fork 0
/
filter-50-legacytimeperiod.conf
39 lines (38 loc) · 1.34 KB
/
filter-50-legacytimeperiod.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
filter {
if [icinga][facility] == "LegacyTimePeriod" {
if [message] =~ /^Legacy timeperiod update returned .+ segments\./ {
grok {
match => ["message","Legacy timeperiod update returned %{DATA:[icinga][count]}."]
id => "icinga_legacytimeperiodupdate"
add_tag => "icinga_legacytimeperiodupdate"
tag_on_failure => ["_grokparsefailure","icinga_legacytimeperiodupdate_failed"]
add_field => {
"[icinga][eventtype]" => "legacy_timeperiod_update"
}
}
} else if [message] =~ /^ParseTimeRange:/ {
grok {
match => ["message","ParseTimeRange: '%{WORD:[icinga][weekday]}' => %{NUMBER:[icinga][starttime]} -> %{NUMBER:[icinga][endtime]}, stride: %{NUMBER:[icinga][stride]}"]
id => "icinga_parsetimerange"
add_tag => "icinga_parsetimerange"
tag_on_failure => ["_grokparsefailure","icinga_parsetimerange_failed"]
add_field => {
"[icinga][eventtype]" => "parse_time_range"
}
}
date {
match => ["[icinga][starttime]","UNIX"]
target => "[icinga][starttime]"
}
date {
match => ["[icinga][endtime]","UNIX"]
target => "[icinga][endtime]"
}
mutate {
add_field => {
"[icinga][timerange]" => "%{[icinga][starttime]}-%{[icinga][endtime]}"
}
}
}
}
}