filter-50-checkable.conf

filter {
  if [icinga][facility] == "Checkable" {
    if [message] =~ /^Notifications are disabled for/ {
      grok {
        match => ["message","Notifications are disabled for %{WORD:[icinga][objecttype]} '%{DATA:[icinga][object]}'."]
        id => "icinga_notificationsdisabled"
        add_tag => "icinga_notificationsdisabled"
        tag_on_failure => ["_grokparsefailure","icinga_notificationsdisabled_failed"]
        add_field => {
          "[icinga][eventtype]" => "notifications_disabled"
        }
      }
    } else if [message] =~ /^Checking for configured notifications for object / {
      grok {
        match => ["message","Checking for configured notifications for object '%{DATA:[icinga][object]}'"]
        id => "icinga_checkingfornotifications"
        add_tag => "icinga_checkingfornotifications"
        tag_on_failure => ["_grokparsefailure","icinga_checkingfornotifications_failed"]
        add_field => {
          "[icinga][eventtype]" => "checking_for_notifications"
        }
      }
    } else if [message] =~ /^Checkable '.+' has / {
      grok {
        match => ["message","Checkable '%{DATA:[icinga][object]}' has %{INT:[icinga][notificationcount]} notification"]
        id => "icinga_checkablenotification"
        add_tag => "icinga_checkablenotification"
        tag_on_failure => ["_grokparsefailure","icinga_checkablenotification_failed"]
        add_field => {
          "[icinga][eventtype]" => "checkable_notification"
        }
      }
    } else if [message] =~ /^Update checkable '.+' with check interval '.+/ {
      grok {
        match => ["message","Update checkable '%{DATA:[icinga][object]}' with check interval '%{NUMBER:[icinga][checkinterval]}' from last check time at %{TOMCAT_DATESTAMP:[icinga][checkoriginal]} %{DATA} to next check time at %{DATA:[icinga][checknext]}\("]
        id => "icinga_checkableupdate"
        add_tag => "icinga_checkableupdate"
        add_field => {
          "[icinga][eventtype]" => "checkable_update"
        }
      }
    } else if [message] =~ /^State Change: Checkable '.+ state change from .+ to .+/ {
      grok {
        match => ["message","State Change: Checkable '%{DATA:[icinga][object]}' %{WORD:[state][changetype]} state change from %{WORD:[state][original]} to %{WORD:[state][new]} detected."]
        id => "icinga_statechange"
        add_tag => "icinga_statechange"
        add_field => {
          "[icinga][eventtype]" => "checkable_state_change"
        }
      }
    }
  }
}