Extracting fields from GREEDY data in GROK

shroh · August 2, 2017, 5:26pm

I have a web access log from which i need to create the fields, below is the log line:

10.202.103.252 - ECG358 [02/Aug/2017:16:48:53 +0000] "GET /app-web/tutor/applications/14/notes?category=All&offset=0&limit=30&count=true HTTP/1.1" 200 5128 Client-Correlation-Id="bbfd0962-b91f-e192-223f-e4afc316ab00" ResponseSecs=0 ResponseMicros=59908 "https://aplication.cloud.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

I created a GROK pattern using %{COMMONAPACHELOG} %{GREEDYDATA}.

This pattern does the job till the number 5128 in the above logs and rest everything is captured in a field called GREEDYDATA. so the GREEDYDATE field has this log line:

"Client-Correlation-Id="bbfd0962-b91f-e192-223f-e4afc316ab00" ResponseSecs=0 ResponseMicros=59908 "https://aplication.cloud.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko""

Now the challenge here is i have to extract extra fields from this GRREDYDATA field. Any help is highly appreciated.

CDR · August 2, 2017, 9:01pm

When you use GREEDYDATA it will take whatever is left of the log message and store it in that variable. What you should do is not use GREEDYDATA and break your usage of it up into smaller chunks of the variables/information that you want to store.

system · August 30, 2017, 9:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract specifc field from greedydata Logstash	5	663	July 1, 2019
Create new field from existing field using REGEX Logstash	4	1061	November 21, 2019
Assistance with grok Logstash	2	317	March 9, 2018
Logstash grok For GREEDYDATA Field Logstash	3	980	March 6, 2019
Fields are merge grok output Logstash	9	504	June 21, 2020

Extracting fields from GREEDY data in GROK

Related topics