# Pastebin iQS3goDw
#--------------------
# Tomcat Access  
#--------------------
  if [type] == "apache-access" and [message] !~ "GET \/webapps\/portal\/healthCheck HTTP\/1.0" {
    grok {
      match => [ "message", "%{IP:src_ip} - %{USERNAME:thread_name} %{DATA:suid} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:status_code} (?<bytes>[\d-]+) %{QS:http_useragent} \"(?<session_data>(-|.*))\" %{NUMBER:time_served_s} (?<time_served_ms>(-|%{NUMBER}))" ]
    }
  }