Hi - I have a strange issue that I can't make heads or tails of. When I parse a log type for %{HTTPDATE} it works fine, but when I also want to add %{IPORHOST}, then the entire log never makes it to elasticsearch - I look by tag, and by text search etc. Here are the stanzas:
if "apache" in [tags] and "external" in [tags] and "legacy" in [tags] { grok { match => [ "message", "%{IPORHOST:src_ip}.+*%{HTTPDATE:timestamp}" ] overwrite => [ "timestamp", "message" ] tag_on_failure => [ "grokfail_legacy" ] } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] add_tag => "dateparsesuccess_legacy" } }
Filebeat is tagging correctly (I can see the fields when grepping redis-cli) and when I remove that IPORHOST pattern, and have it just:
match => [ "message", "%{HTTPDATE:timestamp}" ]
It works ok. Trouble is, I want that IPAddress! Is this a bug, or am I doing something dumb? Thanks.
Which IP address(es) do you want to capture? If you want to capture more than one, where should they be stored? All in one field (i.e. making it an array field)? Something else?
I managed to work out the capture, thanks. Just a stupid typo in my regex - the second IP is Cloud Flare, so not necessary to keep. . The correct (or at least working) solution for me is simply:
match => [ "message", "%{IPORHOST:clientip}+.*\[%{HTTPDATE:timestamp}" ]
This claims the first IP, skips everything else up until the HTTPDATE and claims that as "timestamp". All good. Thanks.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.