Grok on source field

Dykan_P · February 21, 2018, 9:38am

Hello,

I'm beginner on stack ELK 5.6 and I have a problem : I try to recover my virtualhost and put it in a new field but my grok is false.

The data I want is in source but she has different form :
/var/www/clients/client2/web57/log/20180221-access.log or
/var/www/clients/client1/web62/log/20180221-access.log or
/var/www/clients/client2/web53/log/20180221-access.log

My virtual host is web57 or web62 or web53 and many others and i want record this in a new field (virtualhost).

I try this grok but it's false :

grok {
match => { "source" => "/var/www/clients/%{WORD}/%{WORD:virtualhost}/%{DATA}" }
}

Thanks for your response.
Friendly.

magnusbaeck · February 21, 2018, 10:16am

That filter looks correct. Please show an example event that Logstash produces. Use a stdout { codec => rubydebug } output or copy/paste from Kibana's JSON tab.

Dykan_P · February 21, 2018, 10:33am

Thanks you actually it works but it took a long time to display properly

Have a nice day !

system · March 21, 2018, 10:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.