filter-80-object.conf

# The object field contains names of monitored objects or related objects like downtimes
# Syntax: hostname!servicename!objectname where host objects only have the first part
# and service names only have the first two parts
#
# Do not use host.name from ECS because this is already in use for the host writing
# the log.

filter {
  if [icinga][object] {
    mutate {
      add_field => {
        "[icinga][host]" => "%{[icinga][object]}"
      }
    }
    if [icinga][host] =~ /!/ {
      grok {
        match => ["[icinga][host]","%{DATA:[icinga][host]}!%{GREEDYDATA:[icinga][service]}"]
        tag_on_failure => ["_grokparsefailure","servicename_from_object_failed"]
        overwrite => "[icinga][host]"
      }
      if [icinga][service] =~ /!/ {
        grok {
          match => ["[icinga][service]","%{DATA:[icinga][service]}!%{GREEDYDATA:[icinga][objectid]}"]
          tag_on_failure => ["_grokparsefailure","object_id_from_service_failed"]
          overwrite => "[icinga][service]"
        }
      }
    }
  }
}