input {
  tcp {
    port => 5000
  }
}

filter {
  if [message] =~ "\tat" {
    grok {
      match => ["message", "^(\tat)"]
      add_tag => ["stacktrace"]
    }
  }

#  grok {
#    match => [ "message",
#               "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME})  %{LOGLEVEL:level} %{NUMBER:pid} --- .+? :\s+(?<logmessage>.*)"
#             ]
#  }

  json {
    source => "message"
    target => "logInfo"
  }

  mutate {
    add_field => {
      "level"                   => "%{[logInfo][level]}"
      "appName"                 => "%{[logInfo][app_name]}"
      "thread"                  => "%{[logInfo][thread_name]}"
      "loggerName"              => "%{[logInfo][logger_name]}"
      "logMessage"              => "%{[logInfo][message]}"
      "logtimestamp"            => "%{[logInfo][@timestamp]}"
    }
  }

  if ([level] == "ERROR") {
    mutate {
      add_field => {
        "stackTrace"           => "%{[logInfo][stack_trace]}"
      }
    }
  }

# if [logInfo][stack_trace] != "" {
#    mutate {
#      "stackTrace"              => "%{[logInfo][stack_trace]}"
#    }
#  }

  date {
    match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
  }

  mutate {
#    remove_field => ["logInfo","message"]
  }
}

output {
        elasticsearch {
          hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"]
          user => "logstash_internal"
          password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn"
          index => "notification-gateway-%{+YYYY.MM.dd}"
        }
 file {
   path => "/home/ubuntu/test_logstash_syslog"
 }
}