filter { if [type] == "proxy_bluecoat" { # drop comment line

1. filter {
2. if [type] == "proxy_bluecoat" {
3. # drop comment lines
4. if ([message] =~ /^#/) {
5. drop{}
6. }
7. csv {
8. columns => ["date", "time", "time_taken", "c_ip", "sc_status", "s_action", "sc_bytes", "cs_bytes", "cs_method", "cs_uri_scheme", "cs_host", "cs_uri_port", "cs_uri_path", "cs_uri_query", "cs_username", "s_supplier_name", "rs_content_type", "cs_referer", "cs_user_agent", "sc_filter_result", "cs_categories", "s_ip", "r_dns", "r_ip", "x_cs_dns"]
9. separator => " "
10. }
11. if [timestamp] {
12. date {
13. match => ["timestamp", "YYYY-MM-dd HH:mm:ss" ]
14. }
15. } else if [gmttime] {
16. date {
17. match => ["gmttime", "dd/MM/YYYY:HH:mm:ss' GMT'"]
18. timezone => ['UTC']
19. }
20. } else if [localtime] {
21. date { match => ["localtime", "[dd/MMM/YYYY:HH:mm:ss Z]"] }
22. } else if [date] and [time] {
23. mutate { merge => ["date", "time"] }
24. mutate { join => ["date", " "] }
25. date {
26. match => ["date", "YYYY-MM-dd HH:mm:ss" ]
27. timezone => ['UTC']
28. }
29. }
30. if ([s_supplier_ip] and [s_supplier_ip] != "-") {
31. geoip {
32. source => "s_supplier_ip"
33. }
34. }
35. mutate {
36. convert => ["sc_bytes", "integer",
37. "time_taken", "integer",
38. "r_port", "integer",
39. "s_port", "integer",
40. "cs_bytes", "integer",
41. "duration", "integer"
42. ]
43. }
44.  
45. if [cs_user_agent] != "" {
46. useragent { source => "cs_user_agent" prefix => "user_agent." }
47. }
48.  
49. mutate {
50. remove_field => ["message", "host", "date", "time", "timestamp", "gmttime", "localtime"]
51. }
52. }
53. }