Which gives me a few fields, but my problem relies in the fact that the order of the HTTP headers is not always the same, and sometimes User-Agent: will come before Host: and vice versa....
Basically I want to have the following values extracted:
ruby {
code => '
if event.get("client_payload")
m = event.get("client_payload").match /(?<request_method>^(GET|POST|PUT|HEAD|DELETE)) (?<request_path>.*) HTTP\/(?<request_version>[0-9]{1}\.[0-9]{1})/
if m
event.set("request_path", m[:request_path])
event.set("request_method", m[:request_method])
event.set("request_version", m[:request_version])
end
useragent = event.get("client_payload").match /User-Agent: (?<user_agent>.*?)(::|$)/
if useragent[:user_agent]
event.set("request_user_agent", useragent[:user_agent])
end
host = event.get("client_payload").match /Host: (?<request_host>.*?)(::|$)/
if host[:request_host]
event.set("request_host", host[:request_host])
end
end
'
}
However, I get alot of error in the logstash logs, such as:
[2018-10-22T21:22:58,991][ERROR][logstash.filters.ruby ] Ruby exception occurred: undefined method `[]' for nil:NilClass
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.