Grok extract field problem


(Fred) #1

I have a problem in the production process
Version es 651 filebeat 651
Modify the nginx template to extract the cookies from the nginx log

"grok": {
"field": "message",
"patterns":[
""?%{IPV4:nginx.access.remote_ip_list} - %{DATA:nginx.access.user_name} \[%{HTTPDATE:nginx.access.time}\] "%{GREEDYDATA:nginx.access .info}" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} "%{DATA:nginx.access.referrer}" "%{DATA:nginx.access .agent}" "%{DATA:nginx.access.cookie}" "%{DATA:nginx.access.request_body}""

Then extract the email address in the cookie field

"grok": {
"field": "nginx.access.cookie",
"patterns": [
"email=%{EMAILADDRESS:nginx.access.client}",
""
],
"ignore_missing": true

But found that when the cookie field format is as follows

Email=cloris@ucan.com; token=ecc47f17abc040928c3c89c1f31a73a4; lang=en-US

No problem, but if the email field is in the middle, no information can be extracted.
Such as:
Token=ecc47f17abc040928c3c89c1f31a73a4; email=cloris@ucan.com; lang=en-US

Ask for advice


(Philip Nunn) #2

For parsing the cookie, you'd be better off using the kv processor for that one field instead of grok. Docs here.


(Fred) #3

thanks bigphil it's sovled
"kv": {
"field": "nginx.access.cookie",
"field_split": "; ",
"value_split": "=",
"target_field": "nginx.access.userinfo",
"ignore_missing": true
}