Hello, I want to filter apache access logs before giving them to elastic search. I want to filter specific IPs and remove the lines where the IPs dont occur. But at the moment I am struggeling with the grok filter.
I am using Grok Debugger with the pattern %{IPV4:ip} which is able to get me one single IP from one input line. Is Grok Debugger able to work with multiple lines?
How do I search for specific IP(s) and remove the other lines?
I am using Grok Debugger with the pattern %{IPV4:ip} which is able to get me one single IP from one input line. Is Grok Debugger able to work with multiple lines?
Yes, if the input lines are joined into a single Logstash event but that's not something you'll want to do with an access log. Process the lines one by one.
How do I search for specific IP(s) and remove the other lines?
Capture the IP address into a field. If you only have a small number of IP addresses to whitelist (say, single digit) you can just wrap a drop filter in a conditional that compares the IP address field against a fixed list of IP addresses, otherwise use a translate filter to look up the field with the IP address against the contents of a file.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.