dissect { mapping => { "message" => "%{[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} [" } }
if [@metadata][timestamp] { date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd HH:mm:ss.SSS ZZ" ] } }
if "HTTP Response" in [message] {
grok { match => { "message" => "Request:%{GREEDYDATA:[@metadata][request]}Response:%{GREEDYDATA:[@metadata][response]}" } }
if [@metadata][request] { json { source => "[@metadata][request]" target => "httpRequest" } }
if [@metadata][response] { json { source => "[@metadata][response]" target => "httpResponse" } }
# If you never have more than one value for a header then you could also...
ruby {
code => '
reqHdr = event.get("[httpRequest][Headers]")
if reqHdr.is_a? Hash
reqHdr.each { |k, v|
event.set("[httpRequest][Headers][#{k}]", v[0])
}
end
respHdr = event.get("[httpResponse][Headers]")
if respHdr.is_a? Hash
respHdr.each { |k, v|
event.set("[httpResponse][Headers][#{k}]", v[0])
}
end
'
}
}
my next step is to put the json data into database table..
for example extract data of the fields Authorization , Referrer and iv-user and insert into database table. please could you help
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.