The first entry in the web access log file:
112.181.246.27 12.12.181.2 - - [03/Apr/2024:16:46:22 +0800] "GET /icr/?mac_address=005044567570&network_type=4G&time=16:46:22.190 HTTP/1.1" 200 679 31248 "CX1UUCGAA01V.ixxx.pcsx.us:9765" -
After I import the log, there is a tag source_address with value "12.12.181.2"
But the source address should be in the first field , may i know to to change the field mapping or add a new field for the source ip
Hi,
you would need to modify the ingest pipeline that is processing your logs.
You can create a new ingest pipeline that includes a grok processor to parse the log line and extract the source IP into a new field. The grok pattern would look something like this: "%{IP:source_ip} %{IP:source_address} ...".
Regards
Thanks. I have created the new ingest pipeline, can you tell me how to use it to import the file.