# filters elasticsearch messages
{
  resource."graylog_pipeline_rule" = {

    routeToElasticSearchMessage = {

      description = "route elasticsearch messages to elasticsearch stream (TF)";
      source = ''
        rule "route elasticsearch message"
        when
          to_string($message.facility) == "elasticsearch"
        then
          route_to_stream(id:"''${ graylog_stream.elasticsearch.id }", remove_from_default: true);
        end
      '';
    };

    elasticsearchJunk = {
      source = ''
        rule "mark and route elasticsearch junk"
        when
          starts_with(to_string($message.message), "Received short packet")
        then
          set_field("is_junk", true);
          route_to_stream(id:"''${graylog_stream.junk.id}", remove_from_default: true);
        end
      '';
      description = "mark elasticsearch noise as junk (TF)";
    };

  };

  graylog.all_messages.rules = [ "route elasticsearch message" ];

  graylog.stream.elasticsearch = {
    index_set_id = "\${data.graylog_index_set.default.id}";
    pipelines = [ "\${graylog_pipeline.processElasticSearchMessage.id}" ];
  };

  graylog.pipeline.processElasticSearchMessage = {
    source = ''
      stage 0 match all
        rule "mark and route elasticsearch junk";
    '';
    description = "process messages of the elasticsearch stream(TF)";
  };

}