colinsurprenant · April 25, 2014 16:30
diff --git a/scratchpad.txt b/scratchpad.txt
 input { stdin {} }

 filter {}

 output {
  stdout {
    codec => rubydebug
  }
 }




 filter {
  grok {
    match => {
      "message" => '%{HTTPDATE:timestamp} %{IP:ip} <%{DATA:msg}>'
    }
  }
 }


 18/Mar/2014:18:31:15 -0500 8.8.8.8 <hello world>


 date {
  match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
 }

 date {
  match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
 }

 geoip {
  source => "ip"
 }

 %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}
	input { stdin {} }

	filter {}

	output {
	stdout {
	codec => rubydebug
	}
	}




	filter {
	grok {
	match => {
	"message" => '%{HTTPDATE:timestamp} %{IP:ip} <%{DATA:msg}>'
	}
	}
	}


	18/Mar/2014:18:31:15 -0500 8.8.8.8 <hello world>


	date {
	match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
	}

	date {
	match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
	}

	geoip {
	source => "ip"
	}

	%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-\|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}