How should i write query when i want to look for a specific value of a header from kibana logs?

SreeReddy · November 5, 2018, 10:11pm

For Example, how should my query be, if i want to look for specific values of X-Forwarded-For ? Below is teh value of log.Headers field and i have to parse till X-Forwarded-For field.

Tried the below query, but was not successful:

{
  "match_phrase_prefix": {
    "log.requestHeaders.X-Forwarded-For": "52*"
  }
}

log.Headers value:

X-Amzn-Trace-Id: [XXXX],Accept: [application/x-protobuf],Tracecontext: [273f0626b40a74bc35hgh45],X-B3-Traceid: [273f0626b4gye4620a7464jbc],X-Forwarded-Proto: [https],X-Client-Id: [traffic-generator],X-B3-Parentspanid: [23714f926ee86435hfhdg5f1],X-Forwarded-Port: [443],X-Request-Id: [273f0626b40a325r43drgd74bdf6c],X-Span-Id: [52ac273e53605fdjhfgcj465465350],Applicationid: [ETASK],Content-Type: [application/x-protobuf],X-B3-Spanid: [33ac37593e8dfhgfj56756749da15],X-Forwarded-For: [882.2457.36761.245678, 57680.116782.16731.19696],X-B3-Sampled: [0],User-Agent: [Apache-HttpClient/4.5.6 (Java/1.8.0_181)],Accept-Encoding: [gzip,deflate]

brooksjo · November 12, 2018, 9:15am

Hello Sreetheja,

I'm trying to write query which you mentioned. Would you be able to give a few log.Headers field details you're having while checking?

There are conditions where Kibana will endeavor to question for the config before approval being accessible, and in those cases it will nimbly deal with the approval mistake, which is presumably what I found in the last case when checking it.

system · December 10, 2018, 9:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.