---

sources:
  in_logs_vault:
    type: file
    include:
      - /opt/vault/log/audit.json

transforms:
  format_logs_vault:
    type: remap
    inputs: ["in_logs_vault"]
    source: |
      .message = string!(.message)
      if (is_json(.message)) {
        .vault = parse_json!(.message)
        .timestamp = parse_timestamp(del(.vault.time), format: "%FT%H:%M:%S%.fZ", timezone: "UTC") ?? now()
      }