I have an IIS log, example:
"2017-10-01 08:29:29 10.70.4.52 GET /Shared+Documents/Forms/AllItems.aspx AjaxDelta=1&isStartPlt1=1506846557836 80 0#.w|auto\user_sppano_dev 10.70.4.52 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) http://sppano/_layouts/15/start.aspx#/Shared%20Documents/Forms/AllItems.aspx 200 0 0 11585"
I tried with grok to parse this, I tried to parse the user name %{USER:user} - not getting any thing, the only way I get something is with %{NOTSPACE:username} but I get the all string 0#.w|auto\user_sppano_dev I need to get only the user name user_sppano_dev
Hi,
this is example of line from IIS log: 2017-10-01 08:29:30 10.70.4.52 GET /Lists/NewsFeed/AllItems.aspx AjaxDelta=1 80 0#.w|c-ad\sp_dev 10.70.4.52 Mozilla/4.0+(compatible;+MSIE+7.0;
this is the grok line:
grok {
match => ["message","%{TIMESTAMP_ISO8601:log_timestamp} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{POSINT:port} %{NOTSPACE:username} %{IP:clientIP} %{NOTSPACE:userAgent} %{URI:URL} %{NUMBER:response}"]}
when I put 0#.w|%{WORD}\%{NOTSPACE:user} and run logstash I don't get "username" filed
Please format the configuration as preformatted text so we can see exactly what it looks like. Use the </> toolbar button or look up how to use Markdown formatting.
when I put 0#.w|%{WORD}%{NOTSPACE:user} and run logstash I don't get "username" filed
I assume you mean you don't get a user field since that's what the grok expression creates for you.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.