filter {
  if "swift-container" in [tags] {
    grok {
      match => {
        "message" => "%{CISCOTIMESTAMP}%{SPACE}%{S3_REQUEST_LINE}%{SPACE}%{CISCOTIMESTAMP}%{SPACE}%{HOSTNAME}%{SPACE}%{PROG}%{SPACE}%{USER}%{SPACE}%{USERNAME}%{SPACE}%{NOTSPACE}%{SPACE}%{S3_REQUEST_LINE}%{SPACE}%{HTTPDUSER}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{INT}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{SECOND}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}"
      }
    }
  }
  if "swift-account" in [tags] {
    grok {
      match => {
        "message" => "%{SYSLOGTIMESTAMP}%{SPACE}%{HOSTNAME}%{SPACE}%{PROG}%{SPACE}%{SYSLOGTIMESTAMP}%{SPACE}%{S3_REQUEST_LINE}%{SPACE}%{IP}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{SYSLOG5424SD}%{SPACE}%{QS}%{SPACE}%{POSINT}%{SPACE}%{NOTSPACE}%{SPACE}%{QS}%{SPACE}%{QS}%{SPACE}%{QS}%{SPACE}%{SECOND}%{SPACE}%{QS}%{SPACE}%{NUMBER}%{SPACE}%{NOTSPACE}"
      }
    }
  }
  if "swift" in [tags] {
    grok {
      match => {
       "message" => "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{NOTSPACE:logsource} %{SYSLOGPROG:module}: (?:%{SPACE})?%{GREEDYDATA:logmessage}"
      }
    }

    grok {
      patterns_dir => ['/opt/logstash/patterns']
      match => {
        "logmessage" => [
          "%{COMBINEDAPACHELOG}",
          "%{SWIFTPROXY_ACCESS}",
          "%{GREEDYDATA:logmessage} \(txn\: %{DATA:swift_txn}\)"
        ]
      }
      tag_on_failure => []
      overwrite => [ "logmessage" ]
    }

    if [request] {
      mutate {
        replace => { "logmessage" => "%{request}" }
      }
    }

    mutate {
      replace => { "module" => "swift.%{module}" }
    }

    if [file] =~ "error.log$" {
      mutate {
        add_field => { "loglevel" => "NOTICE" }
      }
    } else {
      mutate {
        add_field => { "loglevel" => "INFO" }
      }
    }
  }
}