9]+\t(?<appid>[^\t]*)\t(?<requestedHost>[^\t]*)\t(?<path>[^\t]*)\t([^\t]*)\t([^\t]*)\t(?<method>\S+)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\t(?<uaid>.+[\t]*)\t(?<agent>[^\t]*)\t(?<jsessionid>[^\t]*)\t(?<remoteIP>[^\t]*)\t(?<referrer>[^\t]*)\t(?<carrierid>[^\t]*)\t(?<requestType>\d+[^\t]*)\t([^\t]*)\t(?<code>[^\t]*)\t(?<uuid>[^\t]*)\t(?<size>[^\t]*).*$/
pos_file <your position file>
tag mylog
</source>
<match mylog>
type grep
input_key requestType
regexp [^569] # only keep 5, 6, or 9 request types
add_tag_prefix filtered_request_type
</match>
<match filtered_request_type.mylog>
type grep
input_key uaid
regexp ^(999-|502-) # filter out the ones starting with 999- or 502-
add_tag-prefix filtered_uaid
</match>
<match filtered_uaid.filtered_requet_type.mylog>
type <your output plugin>
...
</match>
Let us know if you have more questions.
kiyoto