Logstash and elastic search: Split up values within a value

0
votes

Just getting started with logstash and elastic search

Below is my log:

2015-09-09 16:02:23 GET /NeedA/some1/some2/some3/NeedB/some4/NeedC f=json - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_10_5)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/44.0.2403.157+Safari/537.36 http://localhost:3000/ 200 373 554 46

Using the config file below, I was able to get seperate out the url: /NeedA/some1/some2/some3/NeedB/some4/NeedC

filter {
  grok {
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} %{URIPATH:url} %{NOTSPACE:querystring} %{NOTSPACE:username} %{IPORHOST:ipaddress} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:scstatus} %{NUMBER:scbytes:int} %{NUMBER:csbytes:int} %{NUMBER:timetaken:int}"]
  }
  date {
    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
    timezone => "Etc/UCT"
  }
}

Question: How do I seperate out NeedA, NeedB and NeedC from /NeedA/some1/some2/some3/NeedB/some4/NeedC and put it as different fields in elastic search

1
elasticsearchlogstashgrok

1 Answers

0
votes

Here is the solution:

grok {
                match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} \/%{WORD:fieldA}\/.*\/.*\/.*\/%{WORD:fieldB}\/.*\/%{WORD:fieldC} %{NOTSPACE:querystring} %{NOTSPACE:username} %{IPORHOST:ipaddress} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:scstatus} %{NUMBER:scbytes:int} %{NUMBER:csbytes:int} %{NUMBER:timetaken:int}"]
        }

In your grok, just replace %{URIPATH:url} by \/%{WORD:fieldA}\/.*\/.*\/.*\/%{WORD:fieldB}\/.*\/%{WORD:fieldC}

The output result:

{
          "message" => "2015-09-09 16:02:23 GET /NeedA/some1/some2/some3/NeedB/some4/NeedC f=json - 127.0.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_10_5)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/44.0.2403.157+Safari/537.36 http://localhost:3000/ 200 373 554 46",
         "@version" => "1",
       "@timestamp" => "2015-09-09T16:02:23.000Z",
             "host" => "MyHost.local",
             "path" => "/path/of/test.log",
    "log_timestamp" => "2015-09-09 16:02:23",
           "method" => "GET",
           "fieldA" => "NeedA",
           "fieldB" => "NeedB",
           "fieldC" => "NeedC",
      "querystring" => "f=json",
         "username" => "-",
        "ipaddress" => "127.0.0.1",
        "useragent" => "Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_10_5)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/44.0.2403.157+Safari/537.36",
          "referer" => "http://localhost:3000/",
         "scstatus" => "200",
          "scbytes" => 373,
          "csbytes" => 554,
        "timetaken" => 46
}

Regards, Alain