Logstash Grok unable to create new fields for apache-access log

Elastic Stack Logstash
1

Hi, New to ELK.
I am trying to build a simple dashboard for apache access log.
I need to extract the second IP from the log
Sample log

127.0.0.1 172.0.0.10, 123.56.98.356 - - [date] "GET /loca/lib/images.img HTTP/1.1" 200 3840
127.0.0.1 165.87.57.77 - - [date] "POST /loca/lib/images.img HTTP/1.1" 200 3840

I tried using the COMBINEDAPACHELOG getting everything as a single message.

Added GROK ADD_FILTER but it did not work out.
Sample log-stash config

filter {
    if [type] == "apache-access" {
        grok {
           add_field => { "uri" => "%{URIHOST}" }
           break_on_match => false
           add_field => { "clinetip" => "%{IP:client_ip} %{IP:client_ip2}" }
           break_on_match => false
           match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
        date {
            locale => "en"
            match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
        }
    }
2

Those log entries aren't in the combined format to COMBINEDAPACHELOG won't work. You'll have to define your own pattern(s). It's almost a combined log so if you start with the COMBINEDAPACHELOG pattern (below) it shouldn't be hard to construct a working pattern.

3

Awesome, thanks for the info.
But still new field is not added through grok add_field

 grok {
           add_field => { "uri" => "%{URIHOST}" }
4

Do your events have a URIHOST field? Please show your current filter configuration and an example of a resulting event (output from a stdout { codec => rubydebug } output is preferable).