{
    "TimberWinR": {
        "Inputs": {
            "WindowsEvents": [
                {
                    "source": "System,Application",
                    "binaryFormat": "PRINT",
                    "resolveSIDS": true
                }
            ],
             "Tcp": [
                {
                    "port": "5140"
                }
            ],
            "Logs": [
                {
                    "name": "Syslogs1",
                    "location": "C:\\Logs1\\*.log"
                }
            ],
            "IISW3CLogs": [
                {
                    "name": "Default site",
                    "location": "c:\\inetpub\\logs\\LogFiles\\W3SVC1\\*"
                }
            ]
        },
        "Outputs": {
            "Redis": [
                { 
                    "threads":  1,   
                    "interval": 5000, 
                    "batch_count":  500,              
                    "host": [
                        "tstlexiceapp006.vistaprint.svc"
                    ]
                }
            ]
        },
        "Filters": [          
            {
                "grok": {
                    "condition": "[type] == \"Win32-Eventlog\"",
                    "match": [
                        "Message",
                        ""
                    ],                   
                    "remove_field": [
                        "ComputerName"                   
                    ]
                }
            },
            {
                "grok": {
                    "match": [
                        "message",
                        "%{SYSLOGLINE}"
                    ],
                    "add_tag": [
                        "rn_%{Index}",
                        "bar"
                    ],
                    "add_field": [
                        "foo_%{logsource}",
                        "Hello dude from %{ComputerName}"
                    ]
                }
            },
            {
                "grok": {
                    "match": [
                        "Text",
                        "%{SYSLOGLINE}"
                    ],
                    "add_tag": [
                        "rn_%{RecordNumber}",
                        "bar"
                    ]
                }
            },
            {
             "date":  {
                    "condition": "[type] == \"Win32-FileLog\"",
                    "match": [
                        "timestamp",
                        "MMM  d HH:mm:sss",
                        "MMM dd HH:mm:ss"                       
                    ],
                    "add_field":  [
                        "UtcTimestamp"
                    ],                
                    "convertToUTC":  true
                }
            },
            {
                "mutate": {      
                    "_comment": "Orion Rules",        
                    "rename": [
                        "ComputerName", "Host",
                        "host", "Host",
                        "message","Message",
                        "type","Type",
                        "SID", "Username"                 
                    ]
                }                
            }           
        ]
    }
}