How to remove \ in logstash


(Arungowda) #1

Hi All
I am new to the Logstash, I need to remove \ from request and Http_method

request": ""GET https://www.docsapp.in:443/dashboardapp/forward/0/content?patientId=6009237 HTTP/2.0""
http_method": ""GET"

I want like this
request": "GET https://www.docsapp.in:443/dashboardapp/forward/0/content?patientId=6009237 HTTP/2.0""
http_method": "GET"

could you please help me?


(Arungowda) #2

this is my .conf file

input {
stdin {}
}
filter {
grok {
match => {"message" => '%{NOTSPACE:request_type} %{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:alb-name} %{NOTSPACE:client} %{NOTSPACE:target} %{NOTSPACE:request_processing_time:float} %{NOTSPACE:target_processing_time:float} %{NOTSPACE:response_processing_time:float} %{NOTSPACE:elb_status_code} %{NOTSPACE:target_status_code} %{NOTSPACE:received_bytes:float} %{NOTSPACE:sent_bytes:float} %{QUOTEDSTRING:request} %{QUOTEDSTRING:user_agent} %{NOTSPACE:ssl_cipher} %{NOTSPACE:ssl_protocol} %{NOTSPACE:target_group_arn} %{QUOTEDSTRING:trace_id}'}
}
grok{
match => ["request", "^(%{NOTSPACE:http_method})? (%{NOTSPACE:http_uri})?"]
}
grok{
match => [ "target_group_arn","(?<target_group_arn>[/^])(?.[^/]*)"]
}
mutate {
convert => {
"elb_status_code" => "integer"
"target_status_code" => "integer"
}

}
}

output {
stdout {}
}


(Lewis Barclay) #3

Your examples are the same apart from extra quotes?


(Arungowda) #4

sorry forget add backlash


(Lewis Barclay) #5

I still cannot see a difference in the examples


(Arungowda) #6

request": "\"GET https://www.docsapp.in:443/dashboardapp/forward/0/content?patientId=6009237HTTP/2.0""
http_method": "\"GET"

I need
request": "GET https://www.docsapp.in:443/dashboardapp/forward/0/content?patientId=6009237HTTP/2.0""
http_method": "GET"


(Lewis Barclay) #7

Can you give me some raw input example lines? 3 or 4 would be good.


(Arungowda) #8

h2 2018-11-15T06:34:59.899131Z app/ecs-production-cluster/1e87a951378c7dd2 1.5d1.e5.1ew9:4w913 172.31.7.248:80 0.000 0.009 0.000 200 200 52 216 "POST https://www.docsapp.in:443/dashboardapp/forward/users HTTP/2.0" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:514:targetgroup/docsapp-release-tg/831ff227855 "Root=1-5bed1393-32203aa0d2b3c1a0d0e13c7e" "www.docsapp.in" "arn:aws:iam::547500:server-certificate/RenewedSSL" 6 2018-11-15T06:34:59.889000Z "forward" "-" "-