I use logstash to send apache log to elasticsearch. In the file config of logstash I have a filter
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
In the list of fields of the obtained data I have the field "referrer" of which I would like to extract the subdomain. If for example:
referrer = "http://mysubdomain.mydomain.com/controller/action"
then i need to extract the string "mysubdomain" and assign it to a new "subdomain" field.
Use grok and match against
"https?://(?<subdomain>[^/]+)\.[^\./]+\.[^\./]+/"
Updated to name subdomain instead of domain.
I'm new to logstash. If you can tell me how to complete my grok it will be nice of you 
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
grok {
match => ???
}
grok { match => [ "referrer", "https?://(?<subdomain>[^/]+)\.[^\./]+\.[^\./]+/" ] }
should do it.
Don't works for me. The referrer is variable:
referrer = "http://mysubdomain.mydomain.com/controller/action"
referrer = "http://mysubdomain.mydomain.com/controller/action/param..."
referrer = "http://mysubdomain.mydomain.com"
And I can have https or http.
It already handles https. If the trailing / is optional then use
grok { match => [ "referrer", "https?://(?<subdomain>[^/]+)\.[^\./]+\.[^\./]+(/|$)" ] }It works. Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.