Thanks, this was really helpful...
I found the "target" parameter to put the query string into a container. Exactly what I needed. I couldn't put all my "match" statement in the same grok, had to be separated...
I'm still baffled that I can't just call "URI" to extract everything based on the logstash-grok pattern here : https://github.com/hpcugent/logstash-patterns/blob/master/files/grok-patterns
filter {
grok {
match => [ "url", "%{URIPROTO:uri_proto}://(?:%{USER:user}(?::[^@]*)?@)?(?:%{URIHOST:uri_domain})?(?:%{URIPATHPARAM:uri_param})?" ]
}
grok {
match => [ "uri_param", "%{GREEDYDATA:uri_path}\?%{GREEDYDATA:uri_query}" ]
}
kv {
source => "uri_query"
field_split => "&"
target => "query"
}
}
The result was
"url" => "http://cdn1cdedge0001.coxlab.net/_astats?application=&inf.name=eth0",
"uri_proto" => "http",
"uri_domain" => "cdn1cdedge0001.coxlab.net",
"uri_param" => "/_astats?application=&inf.name=eth0",
"uri_path" => "/_astats",
"uri_query" => "application=&inf.name=eth0",
"query" => {
"inf.name" => "eth0"
}
Then I can simply remove "uri_query" since it's now duplicate. Although I haven't tested this into ES yet.