more doc

2014-07-30 07:49:05 -04:00
parent 6e50ad9a54
commit 7265514b4c
2 changed files with 68 additions and 30 deletions
--- a/Filters.md
+++ b/Filters.md
@@ -9,22 +9,58 @@ The following filters are provided.
 | *[mutate][6]*     |Similar to the [logstash mutate][3] filter                          
 Example Input:
 ```json
-{
-    "TimberWinR": {
-        "Inputs": {
-            "WindowsEvents": [
+ "Filters": [          
    {
-                    "source": "System,Application",
-                    "binaryFormat": "PRINT",
-                    "resolveSIDS": true
+        "grok": {
+            "condition": "[type] == \"Win32-Eventlog\"",
+            "match": [
+                "Message",
+                ""
+            ],                   
+            "remove_field": [
+                "ComputerName"                   
+            ]
        }
+    },
+    {
+        "grok": {
+            "match": [
+                "message",
+                "%{SYSLOGLINE}"
+            ],           
+            "add_field": [               
+                "Hello", "from %{logsource}"
+            ]
+        }
+    },
+    {
+        "date":  {
+            "condition": "[type] == \"Win32-FileLog\"",
+            "match": [
+                "timestamp",
+                "MMM  d HH:mm:sss",
+                "MMM dd HH:mm:ss"                       
+            ],
+            "add_field":  [
+                "UtcTimestamp"
+            ],                
+            "convertToUTC":  true
+        }
+    },
+    {
+        "mutate": {      
+            "_comment": "Custom Rules",        
+            "rename": [
+                "ComputerName", "Host",
+                "host", "Host",
+                "message","Message",
+                "type","Type",
+                "SID", "Username"                 
            ]
        }                
    }           
-}
+]
 ```
-
-
  [1]: http://logstash.net/docs/1.4.2/filters/grok
  [2]: http://logstash.net/docs/1.4.2/filters/date
  [3]: http://logstash.net/docs/1.4.2/filters/mutate
--- a/mdocs/GrokFilter.md
+++ b/mdocs/GrokFilter.md
@@ -21,7 +21,7 @@ For the above example, your grok filter would look something like this:
 %{NUMBER:duration} %{IP:client}


-## Mutate Operations
+## Grok Operations
 The following operations are allowed when mutating a field.

 | Operation       |     Type        | Description                                                            
@@ -46,13 +46,7 @@ The pattern for this could be:
 ```
 %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
 ```
-And if the message matches, then 5 fields would be added to the event:
- 1. client=55.3.244.1
- 2. method=GET
- 3. request=/index.html
- 4. bytes=15824
- 5. duration=0.043
-
+Given this configuration
 ```json
  "Filters": [     
    {
@@ -62,17 +56,25 @@ And if the message matches, then 5 fields would be added to the event:
               "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"
           ],
           "add_tag": [               
-               "rn_%{Index}",
-               "bar"
+               "http_log"
           ],
           "add_field": [
-               "foo_%{logsource}",
-               "Hello dude from %{ComputerName}"
+               "verb", "%{method}"
           ]
        }           
    }     
  ]
 ```
+And if the message matches, then 6 fields would be added to the event:
+ 1. client=55.3.244.1
+ 2. method=GET
+ 3. request=/index.html
+ 4. bytes=15824
+ 5. duration=0.043
+ 6. verb=GET
+
+And the following tag will be added
+ 1. tag: { "http_log" }

 ### condition "C# expression"
 If present, the condition must evaluate to true in order for the remaining operations to be performed.  If there is no condition specified