input { beats { port => 5044 } }

filter { grok { match => { "message" => "%{LOGLEVEL:loglevel} %{GREEDYDATA:message}"} overwrite => [ "message" ] }

    json{
            source => "message"
    }

    if [message] != "" {
            mutate {
                add_tag => [ "spam_log" ]
            }
    }
    else {
       mutate{
          add_tag => [ "analyze" ]
       add_field => {"index_name" => "%{Process}"}
       }
    mutate {
        gsub => ["index_name","[ *<>%|?]","_"]
    }
    ruby {
        code => 'event.set("index_name", event.get("index_name").to_s.force_encoding("ISO-8859-1").downcase)'
    }

       mutate{
          convert => { "[RunTime]" => "integer" }
          add_tag => [ "processed log" ]
            }
       mutate {
          lowercase => [ "[ItemStatus]" ]
              }

    }

if "spam_log" in [tags] {
    if "execution ended" in [message] {
        mutate { add_tag => ["total"]}
        ruby {
            path => "C:/busapps/rrsb/gbl1/logstash/7.0.0/ruby_scripts/remove_env_suffix.rb"
        }

    }
    else {
        drop{}
    }
}

}

output { if ("total" in [tags]) { elasticsearch { hosts => ["localhost:9200"] index => "totalexecution-%{+YYYY}" user => elastic password => "3wUwULD3QJaKke" } }

}