input{
  beats { 
    port => 5044 
    type => mongodblog 
  }
}

filter {
    grok {
       match => ["message","%{TIMESTAMP_ISO8601:timestamp}\s+%{MONGO3_SEVERITY:severity}\s+%{MONGO3_COMPONENT:component}\s+(?:\[%{DATA:context}\])?\s+%{GREEDYDATA:body}"]
       remove_field => ["message"]
    }
    if [body] =~ "ms$"  { 
      if [component] =~ /COMMAND/ {
          grok{
            match => ["body","%{WORD:command}\s+%{MONGO_WORDDASH:db_name}(.\$|.|.system.)%{MONGO_WORDDASH:collection_name}\s+%{WORD}:\s+%{WORD:query_type}\s+%{GREEDYDATA:info}(op_command|op_query)(\s+%{NUMBER:spend_time:int}ms$)?"]
          } 
          if [query_type] =~ /find|update|delete/ {
            if [info] =~ /projection/ {
              if [info] =~ /planSummary/ {
                grok {
                  match => ["info","%{GREEDYDATA:query}(\,\sprojection:\s)+%{GREEDYDATA:projection}(\splanSummary:\s)+%{GREEDYDATA:planSummary}(\skeysExamined:)%{GREEDYDATA:rests}"]
                  remove_field => ["info","rests"]
                }
              }else{
                grok{
                  match => ["info","%{GREEDYDATA:query}(\,\sprojection:\s)+%{GREEDYDATA:projection}(\,\sshardVersion)%{GREEDYDATA:rests}"]
                  remove_field => ["info","rests"]
                }
              }
            }else {
              if [info] =~ /planSummary/ {
                grok{
                  match => ["info","%{GREEDYDATA:query}(\,\sshardVersion)+(.*planSummary:\s)%{GREEDYDATA:planSummary}(\skeysExamined:)%{GREEDYDATA:rests}"]
                  remove_field => ["info","rests"]
                }
              }else {
                grok{
                  match => ["info","%{GREEDYDATA:query}(\,\sshardVersion)%{GREEDYDATA:rests}"]
                  remove_field => ["info","rests"]
                }
              }
            }
          }else if [query_type] =~ /insert/ {
            grok{
              match => ["info","(.*documents:\s)%{GREEDYDATA:query}(\,\sordered)%{GREEDYDATA:rests}"]
              remove_field => ["info","rests"]
            }
          }else  {
            if [info] =~ /planSummary/ {
              grok{
                match => ["info","%{GREEDYDATA:query}(\splanSummary:\s)+%{GREEDYDATA:planSummary}(\skeyUpdates:)%{GREEDYDATA:rests}"]
                remove_field => ["info","rests"]
              }
            }else {
              grok{
                match => ["info","%{GREEDYDATA:query}(\skeyUpdates:)%{GREEDYDATA:rests}"]
                remove_field => ["info","rests"]
              }
            }
          }
      }else if [component] =~ /WRITE/ {
        grok{
            match => ["body","%{WORD:query_type}\s+%{MONGO_WORDDASH:db_name}(.\$|.)%{MONGO_WORDDASH:collection_name}\s+%{GREEDYDATA:info}(\}\s)+(%{NUMBER:spend_time:int}ms$)?"]
            remove_field => ["info"]
        } 
        if [query_type] =~ /remove/ {
          grok{
            match => ["body","%{GREEDYDATA:query}(\sndeleted:)+%{GREEDYDATA:rests}"]
            remove_field => ["rests"]
          }
        }else if [query_type] =~ /update/ {
          grok{
            match =>["body","%{GREEDYDATA:query}(\skeysExamined:)+%{GREEDYDATA:rests}"]
            remove_field => ["rests"]
          }
        }
      }else{
        grok{
           match => ["body","%{GREEDYDATA:rests}(took\s|replication:\s|op_command\s|op_query\s)(%{NUMBER:spend_time:int}ms$)?"]
           remove_field => ["rests"]
        }
      }
    }else {
      drop {}
   } 

    mutate {
      gsub => ["query","-?\d*\.{0,1} \d+", "",
               "query","-?\d*\.{0,1}\d+", "",
               "query","-?\d *\.{0,1}\d+", "",
               "query",": ",":",
               "query"," }","}",
               "query","{ ","{",
               "query",", ",","
      ]
    }
 
    date {
      match => [ "timestamp", "UNIX", "YYYY-MM-dd HH:mm:ss", "ISO8601"]
      remove_field => [ "timestamp" ]
    }
}

output{
  elasticsearch {
    hosts => ["10.9.195.171:9200"]
    index => "mongodblog_index-%{+YYYY.MM.dd}"
  }
}