Extract word from field

Majuan · March 26, 2018, 12:35pm

I have Apache logs to index, but i would like to extract more information after groking the logs. One log line is like this :
\ 10.23.252.66 - - [26/Mar/2018:01:54:40 +0200] "GET /AppName/services/rest/supervision/supervise HTTP/1.1" 200 2026 "-" "check_http/v2.2.1 (nagios-plugins 2.2.1)" </>

I use this grok pattern and it's working :
\ grok {
match => [
"message", "%{COMMONAPACHELOG}( (?:%{QS:referrer}) (?:%{QS:agent}))?"
]
}

But i want to extract the AppName from the field %{request}. How to do it?

magnusbaeck · March 26, 2018, 6:12pm

Use a second grok filter to parse the field that contains the request. If the application name is always the first directory component you can use ^/(?<appname>[^/]+)/ as the grok expression in that filter.

system · April 23, 2018, 6:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.