Extracting data from message


I used grok and geo IP filter to extract the data fields from the message but I am unable to do. So, I even used disscent filter as all my logs have the same pattern I found no luck. How can I achieve this task? Please advice.

2017-02-14T23:55:29.784176Z LCPROD-APACHE xxx.x6.x8.x6:xxx737 xxx.xx.xx.xx:443 0.000047 0.001386 0.000022 301 301 368 350 "POST https://xxx.com:443/autodiscover/autodiscover.xml HTTP/1.1" "Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7151; Pro)" xxxx-RSA-xxx128-SHA TLSv1

dissect {
mapping => {
message => "{request_timestamp} %{elb_name} %{request_ip} %{request_port} %{backend_ip},%{backend_port},%{request_processing_time},%{backend_processing_time},%{client_response_time},%{elb_response_code},%{backend_response_code},%{received_bytes},%{sent_bytes},%{request_verb},%{url},%{protocol},%{user_agent},%{ssl_cipher},%{ssl_protocol}"


Your fields are not comma separated, so do not use commas in your dissect mapping, use spaces, or colons, or double quotes or whatever the delimiters in your message are

    mapping => {
        message => '%{request_timestamp} %{elb_name} %{request_ip}:%{request_port} %{backend_ip}:%{backend_port} %{request_processing_time} %{backend_processing_time} %{client_response_time} %{elb_response_code} %{backend_response_code} %{received_bytes} %{sent_bytes} "%{request_verb} %{url} %{protocol}" "%{user_agent}" %{ssl_cipher} %{ssl_protocol}'

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.