-
Notifications
You must be signed in to change notification settings - Fork 0
/
filter-25
61 lines (53 loc) · 2.12 KB
/
filter-25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
filter {
ruby {
code => '
# Get the content of the document.message as a string
message_content = event.get("document.message")
# Split the content by lines
lines = message_content.split("\n")
# Define variables to hold the processed events
clientcount_events = []
count_events = []
urlcount_events = []
# Initialize the type of content to track where we are
current_type = nil
# Loop over each line in the message content
lines.each do |line|
# Check for markers to identify sections and switch type
if line.include?("clientcount")
current_type = "clientcount"
next
elsif line.include?("count")
current_type = "count"
next
elsif line.include?("urlcount")
current_type = "urlcount"
next
end
# Skip if the line is empty or not relevant
next if line.strip.empty?
# Process the line based on the current type
case current_type
when "clientcount"
# Split and parse the data for clientcount
data = line.split(" ")
clientcount_events << { "type" => "clientcount", "id" => data[0], "ip" => data[1] }
when "count"
# Split and parse the data for count
data = line.split(" ")
count_events << { "type" => "count", "id" => data[0], "ip" => data[1], "status" => data[2], "url" => data[3] }
when "urlcount"
# Split and parse the data for urlcount
data = line.split(" ")
urlcount_events << { "type" => "urlcount", "count" => data[0], "url" => data[1] }
end
end
# Cancel the original event
event.cancel
# Generate new events for clientcount, count, and urlcount sections
clientcount_events.each { |new_event| new_event.each { |key, value| event.set(key, value) }; event.clone }
count_events.each { |new_event| new_event.each { |key, value| event.set(key, value) }; event.clone }
urlcount_events.each { |new_event| new_event.each { |key, value| event.set(key, value) }; event.clone }
'
}
}