Hi,
We have Nginx URL logs like below and trying to get top URLs by API name. so how can I ignore values after '?' the question mark and get API's.
/services/user/user_messages?bid=xxxxxx&apikey=xxxxxxxxxxxx&start=xxxxxxxxx&end=xxxxxxxxxx
/services/user_accounts?=xxxxxxx
/services/user_accounts?=1xxxxxx
/services/user_accounts?_=2xxxxxx
Thanks
You could use a grok or dissect filter at index time to parse out the base URL and store this in a separate field. This is most likely the most performant and scalable way to solve the problem.
I like to use this for dashboard visualisation only. don't want to change the actual data. is there any way to query in current logs data.
Depending on how you want to use it, it may be possible to do this through a scripted field, but that is likely to be slow and not scale very well as there would be a fair bit of processing for every document for every query. If this is a common analysis. I would recommend adding it as a separate field.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.