#===============================================================================
filter {
    #---------------------------------------------------------------------------
    # Parse & tag cinder logs
    if "cinder-generic" in [tags] {
        #-----------------------------------------------------------------------
        # Parse & tag cinder request-id's
        # i.e.:
        # 1) 2014-06-11 16:00:36.270 4131 AUDIT cinder.api.v1.volumes [req-6d007686-a7d7-4252-912a-0cb224dc148f 3701c870aea549039fdeb22a3ec36864 e77cc2a25f004ec099497d95f02f96dd] ...
        grok {
            match => ["@message", "\[req-%{UUID:request_id} %{WORD:request_user_id} %{WORD:request_tenant_id}\] %{GREEDYDATA:message}"]
            add_tag => [ "cinder-request-id" ]
            break_on_match => false
            overwrite => ["message"] # overwrites original message with whats left
            tag_on_failure => []
        }
        #-----------------------------------------------------------------------
        # Parse & tag volume info from 'message' field in cinder-request-id
        if "cinder-request-id" in [tags] {
            grok {
                match => ["@message", "vol=%{GREEDYDATA:vol}"]
                add_tag => [ "cinder-request-volume-info" ]
                break_on_match => false
                remove_field => ["message"] # overwrites original message with whats left
                tag_on_failure => []
            }
            if "cinder-request-volume-info" not in [tags] {
                grok {
                    match => ["@message", "%{GREEDYDATA:message}"]
                    add_tag => [ "cinder-action" ]
                    break_on_match => false
                    overwrite => ["message"] # overwrites original message with whats left
                    tag_on_failure => []
                }
            }
        }
        #-----------------------------------------------------------------------
    }
}
#===============================================================================