filter {
  if "logstash" in [tags] {
    grok {
      match => {
        "message" => "\{\:timestamp=>\"%{TIMESTAMP_ISO8601:timestamp}\", \:message=>\"%{DATA:logmessage}\"(;|)(, \:address=>\"%{URIHOST:address}\", \:exception=>#<%{DATA:exception}>, \:backtrace=>\[%{DATA:backtrace}\]|)(, \:level=>:%{LOGLEVEL:loglevel}|)\}"
      }
    }

    mutate {
      add_field => { "module" => "logstash" }
      uppercase => [ "loglevel" ]
    }

    if [loglevel] == "WARN" {
      mutate {
        replace => { "loglevel" => "WARNING" }
      }
    } else if ![loglevel] {
      mutate {
        add_field => { "loglevel" => "ERROR" }
      }
    }

  }
}