// Parser for Logging format of SkyCave / MSDO by Henrik Bærbak

// For one reason or the other, it appears that a unique ID is
// inserted in front of the log message, therefore a regexp for 'id2'
// has been inserted.

// That is 'timestamp [loglevel] class :: (key-value list)

// Extract timestamp, loglevel, and class
/^(?<id2>\S+) (?<ts>\S+) \[(?<loglevel>[^\]]+)\] (?<class>\S+)/ :: |

// Convert the timestamp to unix time (as required by Humio's @timestamp field)
@timestamp := parseTimestamp("yyyy-MM-dd'T'HH:mm:ss[.SSS]XXX", field=ts) |

// We no longer need the ts field. (Don't include it in the event's fields)
drop([ts]) |

// Extract any key value pairs (e.g. fruit=banana) and create new fields.
kvParse()