#===============================================================================
filter {
    #---------------------------------------------------------------------------
    # Parse & tag generic sqlalchemy logs (as used by keystone)
    if "sqlalchemy-generic" in [tags] {
        #-----------------------------------------------------------------------
        grok {
            match => [
                "@message", "('%{WORD:sqlalchemy_id}', %{DATA:expires}, '%{DATA:extra}', %{NUMBER:valid}, '%{WORD:user_id}', (')?%{WORD:trust_id}(')?)"
                ]
            add_tag => [ "sqlalchemy-issued-token" ]
            break_on_match => false
            remove_field => ["message"]
            tag_on_failure => []
        }
        #-----------------------------------------------------------------------
        # Parse & tag json from 'extra' field in sqlalchemy-issued-token
        if "sqlalchemy-issued-token" in [tags] {
            json {
                source => "extra"
                add_tag => "token-extra-json"
            }
        }
        #-----------------------------------------------------------------------
    }
    #---------------------------------------------------------------------------
}
#===============================================================================