Please open a new thread with your separate issue; that way your new question will have a wider audience.
When you do, it would be helpful to include what you have tried so far, how it is behaving differently than you expect, and the event's current output shape (e.g., using output { stdout { codec => rubydebug }}).
To get you started, my best guess is that your COMINEDAPACHELOG grok is providing a field request, which contains the relative request URI. Since you are looking to extract information from this URI, you will likely have a second grok filter to perform this action, likely guarded by an if clause to ensure the plugin doesn't run on events that don't match:
filter {
# ...
if [request] and [request] =~ /members/
grok {
match {
"request" => "^/api/v2/members/%{WORD:request_member_id}/"
}
}
}
Thanks for your input. I tried that to put on my pipe.conf.
But, what I've encountered was, no data had been filtered since there were no any messages displayed on my kibana once I restarted my logstash. Config was OK no any error found.
it looks like the if condition needs parentheses to group the clauses:
if [request] and ([request] =~ /members/)
grok {
match {
"request" => "^/api/v2/members/%{WORD:request_member_id}/"
}
}
}
the if clause is helpful here, because if you encounter messages that do not have a request field with members in it, they'll (a) expend extra, unnecessary work and (b) tag each event with _grokparsefailure, which may not be helpful.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.