{
    "TimberWinR": {
        "Inputs": {
            "Stdin": [
                {
                    "codec":  "json"
                }
            ],
            "WindowsEvents": [
                {
                    "source": "System,Application",
                    "binaryFormat": "PRINT",
                    "resolveSIDS": true
                }
            ],
             "Tcp": [
                {
                    "_comment": "Output from NLog",   
                    "port": 5140
                }
            ]
        },
        "Filters": [          
            {
                "grok": {
                    "condition": "[type] == \"Win32-Eventlog\"",
                    "match": [
                        "Message",
                        ""
                    ],                   
                    "remove_field": [
                        "ComputerName"                   
                    ]
                }
            },
            {
                "grok": {
                    "match": [
                        "message",
                        "%{SYSLOGLINE}"
                    ],
                    "add_tag": [
                        "rn_%{Index}",
                        "bar"
                    ],
                    "add_field": [
                        "foo_%{logsource}",
                        "Hello dude from %{ComputerName}"
                    ]
                }
            },
            {
                "grok": {
                    "match": [
                        "Text",
                        "%{SYSLOGLINE}"
                    ],                   
                    "add_tag": [
                        "rn_%{RecordNumber}",
                        "bar"
                    ]
                }
            },
            {
             "date":  {
                    "condition": "[type] == \"Win32-FileLog\"",
                    "match": [
                        "timestamp",
                         "MMM  d HH:mm:sss",
                         "MMM dd HH:mm:ss"                                         
                    ],
                    "target": "UtcTimestamp",
                    "convertToUTC":  true
                }
            },
            {
                "mutate": {      
                    "_comment": "Orion Rules",        
                    "rename": [
                        "ComputerName", "Host",                                          
                        "SID", "Username"                 
                    ]
                }                
            }           
        ],
        "Outputs": {
            "Redis": [
                { 
                    "threads":  1,   
                    "interval": 5000, 
                    "batch_count":  500,              
                    "host": [
                        "tstlexiceapp006.vistaprint.svc"
                    ]
                }
            ],            
            "Elasticsearch": [
                { 
                    "threads":  1,   
                    "interval": 5000,                          
                    "host": [
                        "tstlexiceapp003.vistaprint.svc"
                    ]
                }
            ]                           
        }       
    }
}