Extracting fields from GREEDY data in GROK

shroh · August 2, 2017, 5:26pm

I have a web access log from which i need to create the fields, below is the log line:

10.202.103.252 - ECG358 [02/Aug/2017:16:48:53 +0000] "GET /app-web/tutor/applications/14/notes?category=All&offset=0&limit=30&count=true HTTP/1.1" 200 5128 Client-Correlation-Id="bbfd0962-b91f-e192-223f-e4afc316ab00" ResponseSecs=0 ResponseMicros=59908 "https://aplication.cloud.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

I created a GROK pattern using %{COMMONAPACHELOG} %{GREEDYDATA}.

This pattern does the job till the number 5128 in the above logs and rest everything is captured in a field called GREEDYDATA. so the GREEDYDATE field has this log line:

"Client-Correlation-Id="bbfd0962-b91f-e192-223f-e4afc316ab00" ResponseSecs=0 ResponseMicros=59908 "https://aplication.cloud.domain.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko""

Now the challenge here is i have to extract extra fields from this GRREDYDATA field. Any help is highly appreciated.

CDR · August 2, 2017, 9:01pm

When you use GREEDYDATA it will take whatever is left of the log message and store it in that variable. What you should do is not use GREEDYDATA and break your usage of it up into smaller chunks of the variables/information that you want to store.

system · August 30, 2017, 9:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.