How to extract a substring

I would like to extract the value of a cookie from an HTTP request but up until now I can´t make it work.

I´m trying to get from a request field like this

GET /trading/css/main.css?version=4.4.0 HTTP/1.1, Host:, Connection: keep-alive, sec-ch-ua: %22Chromium%22;v=%2292%22, %22 Not A;Brand%22;v=%2299%22, %22Google Chrome%22;v=%2292%22, sec-ch-ua-mobile: ?0, User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36, Accept: text/css,*/*;q=0.1, Sec-Fetch-Site: same-origin, Sec-Fetch-Mode: no-cors, Sec-Fetch-Dest: style, Accept-Encoding: gzip, deflate, br, Accept-Language: en-US,en;q=0.9, Cookie: _imp_di_pc_=AeiKv2AAAAAA%2Fe2%2Bl0tSpWzh1QMWVNiq; _imp_apg_r_=%7B%22diA%22%3A%22AeiKv2AAAAAA%2Fe2%2Bl0tSpWzh1QMWV f5did=SELECT+IF%28+USER%28%29+LIKE+%27root%40%25%27%2C+BENCHMARK%28100000%2CSHA1%28%27test%27%29%29%2C+%27false%27%29%3B; TS017a1cec=01b48180428042621a43fb9eb5a96afbcffd42e83ec7ebd222f4ed66d4621184363ff53bfcb5059689d9253d43f19b1336ef6f5d0d8e94453021ae1e7789599141b36f7c52

the cookie value of imp_apg_r. For this I got this grok filter
match => {
request => [ (?<deviceid_raw>imp_apg_r=[^;]*) ]
Can anyone point me to the right direction?

Thanks in advance!!

You appear to be missing the underscores around the name. I would use

grok { match => { "message" => "_imp_apg_r_=(?<deviceid_raw>[^;]*)" } }

Thank you!! Desperation makes you blind :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.