Is logstash required to parse url.query field into separate parts?

antonio84 · October 3, 2019, 3:23pm

ELK 7.3 and Filebeat 7.3

I'm using the IIS module currently, and everything is parsing great. I would like to further parse the url.query section of this line. It is highlighted in bold.

2019-09-24 17:14:04 10.202.225.10 GET /Sso/Internal/SignOn.aspx fi=10_2084e051-0184-4746-a017-558fdf9a99a1&customer=3 443 - 10.202.225.254

I would like to separate it into 3 sections:

fi=10 the underscore following this would be the delimiter. Title would be "Client"
the middle section of stuff, the ampsersand being the delimiter. Title being "Widget"
customer=3 would be the last section. Title being "Customer"

I'm using the built in IIS module, and am sending directly from filebeat to elasticsearch, no logstash. I don't know where to put this additional parsing language, or if I need to use logstash.

system · October 31, 2019, 3:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Parse url.query into Different Fields? Beats filebeat	4	2148	October 29, 2019
How to use IIS Module with Logstash? Beats filebeat	8	5446	December 28, 2018
Extract certain values from Url.Query field Beats filebeat	2	919	March 29, 2021
Please help. I'm not getting how to input IIS logs Logstash	10	5156	July 6, 2017
IIS Log message field doesn't always get parsed Beats filebeat	12	2650	September 5, 2018

Is logstash required to parse url.query field into separate parts?

Related topics