Hi, New to ELK.
I am trying to build a simple dashboard for apache access log.
I need to extract the second IP from the log
Sample log
127.0.0.1 172.0.0.10, 123.56.98.356 - - [date] "GET /loca/lib/images.img HTTP/1.1" 200 3840
127.0.0.1 165.87.57.77 - - [date] "POST /loca/lib/images.img HTTP/1.1" 200 3840
I tried using the COMBINEDAPACHELOG getting everything as a single message.
Added GROK ADD_FILTER but it did not work out.
Sample log-stash config
filter {
if [type] == "apache-access" {
grok {
add_field => { "uri" => "%{URIHOST}" }
break_on_match => false
add_field => { "clinetip" => "%{IP:client_ip} %{IP:client_ip2}" }
break_on_match => false
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
locale => "en"
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
}
}