How to add a new field mapping in my web access log

hi_hi · April 11, 2024, 10:23am

The first entry in the web access log file: 
112.181.246.27 12.12.181.2 - - [03/Apr/2024:16:46:22 +0800] "GET /icr/?mac_address=005044567570&network_type=4G&time=16:46:22.190 HTTP/1.1" 200 679 31248 "CX1UUCGAA01V.ixxx.pcsx.us:9765" -

After I import the log, there is a tag source_address with value "12.12.181.2"
But the  source address should be in the first field , may i know to to change the field mapping or add a new field for the source ip

yago82 · April 11, 2024, 3:44pm

hi_hi:

The first entry in the web access log file: 
112.181.246.27 12.12.181.2 - - [03/Apr/2024:16:46:22 +0800] "GET /icr/?mac_address=005044567570&network_type=4G&time=16:46:22.190 HTTP/1.1" 200 679 31248 "CX1UUCGAA01V.ixxx.pcsx.us:9765" -

After I import the log, there is a tag source_address with value "12.12.181.2"
But the  source address should be in the first field , may i know to to change the field mapping or add a new field for the source ip

Hi,
you would need to modify the ingest pipeline that is processing your logs.

You can create a new ingest pipeline that includes a grok processor to parse the log line and extract the source IP into a new field. The grok pattern would look something like this: "%{IP:source_ip} %{IP:source_address} ...".

Regards

hi_hi · April 12, 2024, 10:11am

Thanks. I have created the new ingest pipeline, can you tell me how to use it to import the file.