Grok processor to parse specific fields of IIS Logs message field

chand · September 21, 2020, 11:32am

Hi,

I've the following grok processor, which basically splits message field data into multiple fields. In my case message field data changes every time for each log entry. How would I pass the message field data dynamically?

POST _ingest/pipeline/_simulate
{
"pipeline": {
"description" : "...",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["%{DATESTAMP:timestamp} %{DATA} %{WORD:request.method} %{DATA:request.url} - %{NUMBER:port} - %{DATA} %{GREEDYDATA:useragent} - %{NUMBER:response.status_code} %{GREEDYDATA} %{NUMBER:response.time-taken}"]
}
}
]
},
"docs":[
{
"_source": {
"message": "2020-09-21 10:55:44 ::1 GET / - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.102+Safari/537.36 - 304 0 0 0"
}
}
]
}

I tried passing "message": * instead of "message": "2020-09-21 10:55:44 ::1 GET / - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.102+Safari/537.36 - 304 0 0 0" but it is not working.

How do can we do this?
Does dynamicity of the message 's value in the grok processor is made to support it?

matw · September 23, 2020, 4:25pm

Hi
This is not a Kibana related question, you might get more help in #elastic-stack:elasticsearch .
But you should clarify your issue. You don't want to split ho the message? If you want to help with grok patterns our grok debugger can be helpful

Best,
Matthias

system · October 21, 2020, 4:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.