---

sources:
  in_logs_nginx:
    type: file
    include:
      - /var/log/nginx/access.log
      - /var/log/nginx/error.log

transforms:
  format_logs_nginx:
    type: remap
    inputs:
      - in_logs_nginx
    source: |
      if (.file == "/var/log/nginx/access.log"){
        .http = parse_grok!(.message, "%{HOSTNAME:host} %{HTTPD_COMBINEDLOG}")
      } else if (.file == "/var/log/nginx/error.log"){
        .http = parse_nginx_log!(.message, format:"error")
      }
      .timestamp = parse_timestamp(del(.http.timestamp), format: "%d/%h/%Y:%H:%M:%S %z") ?? now()
      .service = "nginx"
      .group   = "web"