hjfeng1988
January 19, 2019, 3:35am
1
Logs file to analyze:
GET /login.html?user=hjfeng1988 HTTP/1.1
multiple field
filter {
grok {
match => {
"message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
"request_uri" => ["%{DATA:uri}\?.*"]
}
}
}
multiple match
filter {
grok {
match => {
"message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
}
match => {
"request_uri" => ["%{DATA:uri}\?.*"]
}
}
}
multiple grok
filter {
grok {
match => {
"message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
}
}
grok {
match => {
"request_uri" => ["%{DATA:uri}\?.*"]
}
}
}
I try it only use multiple grok work in my case.
Badger
January 19, 2019, 12:58pm
2
As you say, multiple groks will work. Multiple match will never work, because one match overwrites the other in the final configuration of the filter.
You can get multiple field to work by adding 'break_on_match => false'. The default behaviour is for grok to work through the list until one pattern matches and then stop.
hjfeng1988
January 21, 2019, 2:13am
3
Thank you very muchrequest_uri and uri,But alway fail.
GET /login.html?user=hjfeng1988 HTTP/1.1
When I use this method,it can't get correct value uri.
filter {
grok {
match => {
"message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
"request_uri" => ["%{DATA:uri}(\?.*)?"]
}
break_on_match => false
remove_field => ["message"]
}
}
And this method it will replace ? to , for field request_uri
filter {
grok {
match => {
"message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
}
remove_field => ["message"]
}
mutate {
split => { "request_uri" => "?" }
add_field => { "uri" => "%{request_uri[0]}" }
}
}
system
February 18, 2019, 2:13am
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.