From 9734f3516e834bb490fec8b56cfd2af2450e9c70 Mon Sep 17 00:00:00 2001 From: Eric Fontana Date: Thu, 18 Dec 2014 07:57:42 -0500 Subject: [PATCH] Update ddoc. --- README.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/README.md b/README.md index 2e81a05..323e394 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,54 @@ The current list of supported filters are: 4. [Json](https://github.com/Cimpress-MCP/TimberWinR/blob/master/TimberWinR/mdocs/JsonFilter.md) 5. [GeoIP](https://github.com/Cimpress-MCP/TimberWinR/blob/master/TimberWinR/mdocs/GeoIPFilter.md) +Note that there are now two syntaxes for filters, array and single, if you want more than one filter of the same +type then you must use the array tag instead of the singular tag. i.e: + +A single Json filter using the single tag +```json +"Filters": [ + { + "json": { + "type": "Win32-FileLog", + "condition": "\"[logSource]\" == \"dev\"", + "source": "Text", + "add_field": [ + "_index", + "dev-%{yyyy.MM.dd}" + ] + } + } +] +``` + +Multiple Json filters must use the jsonFilters and array syntax +```json +"Filters": [ + { + "jsonFilters": [ + { + "type": "Win32-FileLog", + "condition": "\"[logSource]\" == \"dev\"", + "source": "Text", + "add_field": [ + "_index", + "dev-%{yyyy.MM.dd}" + ] + }, + { + "type": "Win32-FileLog", + "condition": "\"[logSource]\" == \"sta\"", + "source": "Text", + "add_field": [ + "_index", + "sta-%{yyyy.MM.dd}" + ] + } + ] + } +] +``` + ## JSON Since TimberWinR only ships to Redis and Elasticsearch, the format generated by TimberWinR is JSON. All fields referenced by TimberWinR can be represented as a JSON Property or Array.