Filter HTTPD_COMBINEDLOG does not display QS:agent field in Kibana

earlsanchez · September 30, 2020, 11:24pm

Hi All,

I'm new to ELK but seems this should be an easy filter.
I'm using filebeat version 7.9.2 to send Apache access logs to logstash 7.9.2 and then on to AWS Elasticsearch and Kibana 7.7 with the AWS ES plug-in.

Here is the Logstash filter:

    filter {
      grok {
        match => { "message" => "%{HTTPD_COMBINEDLOG}" }
      }
    }

Here is the message field format from Kibana:

    10.204.16.46 - - [30/Sep/2020:15:36:36 -0700] "POST /internal/api/webapp/events HTTP/1.1" 200 - "https://beta.doc-dev-wd.com/reader/gJQvxHUyQOZv_31Vknf~3w/dPudklIPxD0e9EjSI3V7Gw" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"

It seems the QS:agent field is the only field NOT displaying in Kibana, all other fields are displayed.
How do I get the QS:agent field to display in Kibana?

Thank you,
Earl

earlsanchez · October 6, 2020, 9:18pm

Any help on the above is appreciated.

-Earl

system · November 3, 2020, 9:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.