Skip to main content

decision_logs.conf

# use the file input to monitor the directory where we are dropping the filesinput {  file {    path => ["~/files/decision_logs/0116e83a-7e21-11ec-ab5b-00c9e2c2068b/**/decisions-*"]    mode => "read"    file_completed_action => "log"    file_completed_log_path => "~/files/decision_logs/0116e83a-7e21-11ec-ab5b-00c9e2c2068b/decisions-completed.log"
    # decision logs are CSV files, so use the csv codec    codec => csv {      autodetect_column_names => true      quote_char => "'"      convert => { "outcome" => "boolean" }    }  }}
filter {  # use the decision_time fields as @timestamp  date {    match => ["decision_time", "ISO8601"]  }
  # add user information by searching for the user_id field in the users index created  # by the users.conf pipeline  elasticsearch {    hosts => ["localhost:9200"]    user => "elastic"    password => "password"    index => "aserto-users-0116e83a-7e21-11ec-ab5b-00c9e2c2068b"    query => "id:%{[user_id]}"    enable_sort => false    fields => {      "email" => "[user][email]"      "attributes" => "[user][attributes]"    }  }
  # read resource data as JSON and add to the index entry  json {    source => "resource"    target => "resource"  }
  # in this example, the resource is expected to have an 'id' field that references  # a user, here we lookup the resource user id in the users index created by the  # users.conf pipeline and add it's email as a field of the new index entry.  if [resource][id] {    elasticsearch {      hosts => ["localhost:9200"]      user => "elastic"      password => "@cidj@zz!"      index => "aserto-users-0116e83a-7e21-11ec-ab5b-00c9e2c2068b"      query => "id:%{[resource][id]}"      enable_sort => false      fields => {        "email"=> "[resource][user][email]"      }    }  }}
# write it all to a new indexoutput {  elasticsearch {    hosts => ["localhost:9200"]    user => "elastic"    password => "@cidj@zz!"    index => "aserto-decisions-0116e83a-7e21-11ec-ab5b-00c9e2c2068b"    document_id => "%{[decision_id]}"  }}