Jiri_Petak
September 25, 2018, 2:42pm
1
Hi, i would like to parse some fields from json logs from AWS WAF. On input logstash use:
I get messages like:test.exmaple.com "},/ "}
I am trying to parse that header in logstash filter, but cant do it.
Output in kibana should be like:
"httpRequest.headers.Host" => "test.example.com "
I tryed json filter even kv, but with no success.
Thanks for any reply.
yaauie
September 26, 2018, 12:23am
2
As it currently stands, your Elasticsearch index is getting a field httpRequest.headers.name and another called httpRequest.headers.value, which doesn't allow you to map names to values.
The array-of-objects will need to be transposed into a single object with named values.
I made something for you
pipeline.conf
filter {
ruby {
path => "${PWD}/transpose.logstash-filter-ruby.rb"
script_params => {
source => "[proplist]"
}
}
}transpose.logstash-filter-ruby.rb
###############################################################################
# transpose.logstash-filter-ruby.rb
# ---------------------------------
# A script for a Ruby filter to transpose an array of two-element objects into
# a single map
###############################################################################
#
# Copyright 2018 Ry Biesemeyer
#
# Permission is hereby granted, free of charge, to any person obtaining a copyshow original
With the above-linked transpose.logstash-filter-ruby.rb, you could do the following:
filter {
ruby {
path => "/path/to/transpose.logstash-filter-ruby.rb"
script_params => {
"source" => "[httpRequest][headers]"
}
}
}
1 Like
Jiri_Petak
September 26, 2018, 9:09am
3
Thanks, thats awesome! Works like a charm
1 Like
system
October 24, 2018, 9:09am
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
