Hi,
version of logstash is: 6.3.2
I am parsing my nginx logs, logging format is:
log_format timed_combined '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$request_time $upstream_response_time $sent_http_x_request_id $pipe $hostname '
'$cookie_u_role $sent_http_x_runtime '
'$cookie_login_impersonate_id $cookie_u_email $mobile_rewrite $http_x_amzn_trace_id "$virgin" "$pass_server" "$pass_server_ssl" "$scheme" "$is_varnish" "$varnish_hit"';
Based on this format, my nginx log is:
192.3.1.3 - - [28/Aug/2018:08:10:00 +0000] "GET /sr/dev HTTP/1.1" 304 0 "https://xyz.com/path" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "-" 0.001 0.001 1b88bdb421456a362cb59954affd4ba9 . dev-server1 - 0.341967 - - do_not_perform - "000" "http://elb_browsing" "http://varnish" "https" "1" "1"
My grok is :
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} [%{HTTPDATE:[nginx][access][time]}] "%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} "%{DATA:[nginx][access][domain]}" "%{DATA:[nginx][access][agent]}" %{NUMBER:request_time} %{NUMBER:upstream_time} %{NOTSPACE:[nginx][access][request_id]}"] }
With this grok I can able to filter upto requested_id but unable to skip "." character and then after "dev-server1" want to skip "-"
Kindly help me to complete this.