I'm using the IIS module currently, and everything is parsing great. I would like to further parse the url.query section of this line, indicated in bold:
2019-09-24 17:14:04 10.202.225.10 GET /Sso/Internal/SignOn.aspx fi=10_2084e051-0184-4746-a017-558fdf9a99a1&customer=3 443 - 10.202.225.254
I would like to separate it into 3 sections:
fi=10 the underscore following this would be the delimiter. Title would be "Client"
the middle section of stuff, the ampsersand being the delimiter. Title being "Widget"
customer=3 would be the last section. Title being "Customer"
Since I'm using the built in IIS module, I don't know where to put this additional parsing language, or frankly how to make it happen at all.
Hello, thanks for the question about filebeat. In your configuration, is filebeat shipping directly to elasticsearch, or does filebeat first ship data to logstash for enrichment or filtering. If you're using logstash, this could be a possible good portion of the pipeline to split about the url.query string.
Hi, thanks for the response. I am shipping directly to Elasticsearch, is shipping to logstash the best way to split url.query or can it be achieved using the ingest pipeline in filebeat?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.