---

sources:
  in_logs_httpd:
    type: file
    include: ["/var/log/httpd/access_log", "/var/log/httpd/error_log"]

transforms:
  format_logs_httpd:
    type: remap
    inputs: ["in_logs_httpd"]
    source: |
      if (.file == "/var/log/httpd/access_log"){
        .http = parse_grok!(.message, "%{HOSTNAME:host} %{HTTPD_COMBINEDLOG}")
      }
      if (.file == "/var/log/httpd/error_log"){
        .http = parse_apache_log!(.message, format:"error")
      }
      .timestamp = parse_timestamp(del(.http.timestamp), format: "%d/%h/%Y:%H:%M:%S %z") ?? now()
      .service = "httpd"
      .group   = "web"