Can we have a regex to only get 2 or 3 level deep urls from a nginx logs, before passing them on

(Prateek Gokhale) #1

I am using filebeat to get the nginx logs and pass them to the "wavefront" Now the log line in nginx looks like this:

- - [09/Jan/2018:09:16:07 +0000] "GET /abc/def/ghi/jkl/mnop? HTTP/1.1" 200 4471 "http://:8000" "ServiceHost/xxx" 0.035 0.035 .
Is there a way in the filebeat.yaml prospectors to read this logline but only send the the url 2 or 3 levels deep. So I only want to send /abc/def/ghi and not the whole to the wavefront.


(Mark Walkom) #2

This looks related to How to define custom grock to get only 3 levels deep url

Given you need to do this with grok I will close this one. In future it'd be great if you can just ask in one place :slight_smile:

(Mark Walkom) #3