My nginx access log format as below, there certain access log without the
"$request_time" "$http_x_forwarded_for" $http_host ' field, therefore, for certain access log, the grok filter not working, is there anyway to automatic fill the field with - so that other field of the message will be process?
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$request_time" "$http_x_forwarded_for" $http_host ';
grok {
match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method}%{DATA:url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent:bytes} \"%{DATA:referrer}\" \"%{DATA:agent}\" \"%{NUMBER:request_time}\" \"%{DATA:http_x_forwarded_for}\" %{IPORHOST:http_host} " }
remove_field => "message"
}