filter {
  if "journald" in [tags] {
    if [systemd_slice] {
      mutate {
        copy => { "systemd_slice" => "systemd_slice_tag" }
      }
      mutate {
        gsub => [ "systemd_slice_tag", ".slice", "" ]
      }
      if [systemd_slice_tag] != "-" {
        mutate {
          add_tag => [
            "%{systemd_slice_tag}"
          ]
        }
      }
      mutate {
        remove_field => [ "%{systemd_slice_tag}" ]
      }
    }
  }
}