So I'm using GROK to clean up some log files into Kibana but there's a couple areas im struggling with. How can get the value of to a field?:
X-FORWARDED-FOR -> (ip address)
Also I have another instance of multiple emails that all belong to a single field like so:
123@gmail.com, antoherEmail@gmail.com, etc
I've tried a few solutions but im fairly new to this and am very stuck. Is there perhaps a way to limit how much data greedydata gets?
What do the log lines you want to extract data from look like and what data do you want to extract?
timestampHere uidHere IPhere anotherIP X X X x / - - 0 0 - - - - - (empty) - - X-FORWARDED-FOR -> ipHere - - - - - - -
Sorry I have to kind of censor the data I'm working with.
So each entry belongs to a field. My specific problem is getting the X-FORWARDED-FOR -> ipHere all to a single field because the space. If I use greedydata i get that plus all the hyphens which are for other fields that i do not want.
I get the feeling you are trying to match the whole line, but there is no need to do that. There are no implicit anchors in grok. If the [message] field of your event contains
blah blah blah X-FORWARDED-FOR -> 127.3.6.9 more stuff
then you can extract the IP address using
grok { match => { "message" => "X-FORWARDED-FOR -> %{IPV4:ip}" } }Huh I didn't know you could do it like that. I've been using this format and couldn't find a way to do it in terms of this way.
%{NUMBER:ts}%{SPACE}%{WORD:uid}%{SPACE}%{IP:orig_h}%{SPACE}%{NUMBER:orig_p}%{SPACE}%{IP:resp_h}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.