---
  
sources:
  in_logs_samba:
    type: file
    include:
      - /var/log/samba/json/auth.log
      - /var/log/samba/json/dsdb.log
      - /var/log/samba/json/dsdb_password.log
      - /var/log/samba/json/dsdb_transaction.log

transforms:
  format_logs_samba:
    type: remap
    inputs: ["in_logs_samba"]
    source: |
      .message = string!(.message)
      if (is_json(.message)) {
        .samba = parse_json!(.message)
        .timestamp = parse_timestamp(del(.samba.timestamp), format: "%FT%H:%M:%S%.f%z") ?? now()
      }