input {
  beats {
    port => 5044
  }
  
  file {
    path => "/var/log/fundplatform/fund-sys-json.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => "json"
    type => "application"
  }
}

filter {
  if [type] == "application" {
    # 解析时间戳
    date {
      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSS" ]
      target => "@timestamp"
    }
    
    # 添加环境标签
    mutate {
      add_field => { 
        "environment" => "production"
        "log_source" => "fundplatform"
      }
    }
    
    # 提取日志级别
    if [level] {
      mutate {
        add_field => { "log_level" => "%{level}" }
      }
    }
    
    # 错误日志特殊处理
    if [level] == "ERROR" {
      mutate {
        add_tag => [ "error_log" ]
      }
    }
  }
}

output {
  if [type] == "application" {
    elasticsearch {
      hosts => ["elasticsearch:9200"]
      index => "fundplatform-logs-%{+YYYY.MM.dd}"
      template_name => "fundplatform"
    }
  }
  
  # 错误日志单独索引
  if "error_log" in [tags] {
    elasticsearch {
      hosts => ["elasticsearch:9200"]
      index => "fundplatform-errors-%{+YYYY.MM.dd}"
    }
  }
  
  # 同时输出到控制台（调试）
  stdout {
    codec => rubydebug
  }
}