I have the following logstash filter so far:
filter {
if [type] == "nginx-access" {
grok {
match => { "message" => "%{NGINXACCESS}" }
}
useragent {
source => "agent"
target => "ua"
}
geoip {
source => "xff_clientip"
target => "geoip"
add_tag => [ "nginx-geoip" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
split => { "x_forwarded_for" => ", " }
convert => ["response", "integer"]
convert => ["bytes", "integer"]
convert => ["responsetime", "float"]
convert => [ "[geoip][coordinates]", "float"]
}
}
}
The message gets broken out into fields, one of which is the request
being the url requested.
I would like to know what alterations I will need to grok this request field and use kv (I think it's kv) to break that into keys and values from the querystring?
The querystring will have array-like values in it, for example: occasions[]=one&occasions[]=two
if that is going to cause any issues.
I'm pretty new to this, and kind of understand it, but any help would be appreciated