Create Apache Response Code Field

sanjeev1895 · June 1, 2023, 7:22am

Hi Guys,
Can anyone help me to do the following configuration to work as expected.
I'm trying to create the separate field for apache response code status using grok filter but it print IP address first two octect.
Grok Filter configuration:

filter {
grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
grok {
      match => { "message" => "%{URIPROTO}://%{HOSTNAME:domain}" }
    }
grok {
      match => { "message" => "%{NUMBER:response}" }
    }
}

I'm receiving output like below,
response 192.168

Badger · June 1, 2023, 6:08pm

That will match the first occurrence of anything that looks like a number in the [message] field. And the first two octets of an IP address look like a number, so it matches.

Why are you doing this grok at all? The first grok that matches against COMBINEDAPACHELOG will have created a [response] field containing the HTTP status.

system · June 29, 2023, 6:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.