Grok pattern to split the stream name!

Elastic Stack Logstash
1

Again, Come with Wowza Log parsing issue !

When I parse the wowza server logs, the stream name come as below, Is there any way to split exact stream name alone from the entire url ?.

Convert the below one ,

FROM
wowz://www.example.com:443/WH12DH/definst/test04_01|wowz://www.example.com:443/WH12DH/definst/test04_01

TO
test04_01

Full Logstash output:

    "@version" => "1",
   "@timestamp" => "2015-11-16T08:05:45.821Z",
         "host" => "10.11.12.202",
         "type" => "wowzass",
    "xSeverity" => "INFO",
    "xCategory" => "session",
       "xEvent" => "disconnect",
         "date" => "2015-11-16",
         "time" => "07:37:54",
         "xApp" => "WH12DH",
    "cClientId" => "864083625",
          "cIp" => "10.11.13.89",
       "cProto" => "rtmp",
          "sIp" => "10.11.12.200",
        "sPort" => "443",
      "csBytes" => "408359",
      "scBytes" => "4067",
    "xDuration" => "4.879",
       "xSname" => "-",
    "xStreamId" => "**wowz://www.example.com:443/WH12DH/_definst_/test04_01|wowz://www.example.com:443/WH12DH/_definst_/test04_01"**,
2

Anyone please provide solution for this one ?.

3

I'm confused by your question. What part of the stream are you trying to split?

4

Hi

I have configured Wowza Origin and Edge Server. When you try to fetch the video/stream from Edge, it will forward the query to backend origin server [ as per the forwarder condition ]. In my case, I have mentioned primary and fallback url that separated by "|" symbol.

Note : When you check Origin log, it will show only "test04_01", but in Edge server log, it shows like below [ mean, shows entire forwarder lone"]

wowz://www.example.com:443/WH12DH/definst/test04_01|wowz://www.example.com:443/WH12DH/definst/test04_01

Stream Name : test04_01

I need to split the stream name alone from the above one.

Please advice.

5

FROM
wowz://www.example.com:443/WH12DH/definst/test04_01|wowz://www.example.com:443/WH12DH/definst/test04_01

TO
test04_01

So you basically want to capture everything after the last slash in the string? This'll do:

/(?<stream_name>[^/]+)$

This means capture one or more non-slash characters at the end of the string (going backwards until the first slash, i.e. the string's last slash, is encountered).

Anyone please provide solution for this one ?.

If you don't want to annoy people don't ping threads until at least 24 hours have passed. If you expect one-hour response time for questions there are plenty of paid options for that.

6

Format 1:

live wowz://test1.example.com:443/live/definst/demo01|wowz://test2.example.com:443/live/definst/demo01 test

Format 2:

live demo01 test

I was tried lot more options, but couldn't write a pattern to match above two condition.

Requirement : Using single pattern have to satisfy above two log formats.

Please help

7

You can list multiple patterns with the grok filter and it'll pick the first one that matches. Or you can do it in a single expression:

^(subexpression1|subexpression2|...|subexpressionN)$
8

@magnusbaeck Thanks for your reply,
I couldn't use the given pattern match along with my existing patterns.

If I get the pattern that would match this one, I will enable sub expression for Format 2 log.

9

The pattern I gave you assumed that the token you were looking for was at the end of the string, because it was at the end of the string in the example you gave. Now that the rules apparently have changed the expression needs to be adjusted too. This might work:

^%{WORD:app} \S+/(?<stream_name>[^ /]+ %{WORD:id}$