Add field based on another

sandikata · September 30, 2020, 1:18pm

Hello.
I'd like to know if there's any possibility to add new field based on request filed, but with some regex.

(%{NOTSPACE:request}[?#$]\S*)

i'd like to add this one as field "request_file" and the full output to stay in original filed "request"

There's nothing related in documentation (or maybe lacks).
Please give me some ideas.

Badger · September 30, 2020, 1:22pm

grok perhaps? It is not clear what you really want to do.

sandikata · September 30, 2020, 1:25pm

Well, the original request for example

pattern:
%{NOTSPACE:request}

/api/v1/projects/details.php?&clickID=*********

should remain as request field

Need to add new one field called request_file

which should be taken from pattern with regex
pattern:

(%{NOTSPACE:request}[?#$]\S*)

And should display only the requested file, for example.

/api/v1/projects/details.php

sandikata · September 30, 2020, 1:32pm

I am not sure, and cannot even understand ELK stack. I've added this line to mutate filter.

add_field => { "request_file" => ["(%{NOTSPACE:request}[?#$]\S*)"] }

I don't even know if it's correct.

Badger · September 30, 2020, 1:39pm

That is not going to work. I think you want grok. Assuming that the [request] field contains the string '/api/v1/projects/details.php?&clickID=*********' you could try

grok { match => { "request" => "%{NOTSPACE:request_file}\?" } }

or

grok { match => { "request" => "%{URIPATH:request_file}%{URIPARAM:request_params}" } }

sandikata · September 30, 2020, 1:42pm

Can i use more that one grok in filter ?

Badger · September 30, 2020, 1:44pm

Yes.

sandikata · September 30, 2020, 1:45pm

It does the trick, thanks!
I have one more question, but maybe it's better to open new ticket?

sandikata · October 1, 2020, 10:06am

Well. the task were changed again.

And i was forced to add $uri to nginx log format, and now i need some suggestion how to create a new pattern to display it.

New log format

server.example.com 123.123.123.123 [01/Oct/2020:09:52:08 +0000] "POST /ws/whitelabel.php HTTP/2.0" 200 27429 "https://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36" "command=getUserCampaigns&token=*********************************** " "-" "-" "-" 0.152 "/ws/whitelabel.php"

As you can see the request_file is now latest, how can I make it again to be added as field?

Is it like that?

%{NOTSPACE:request_file}

sandikata · October 14, 2020, 11:24am

It works but not relevant anymore.
Anyway Thank You for tips.

system · November 11, 2020, 11:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.