Parsing a querystring from nginx

john_6 · May 29, 2016, 2:21pm

I have the following logstash filter so far:

filter {
  if [type] == "nginx-access" {
    grok {
      match => { "message" => "%{NGINXACCESS}" }
    }
    useragent {
      source => "agent"
      target => "ua"
    }
    geoip {
      source => "xff_clientip"
      target => "geoip"
      add_tag => [ "nginx-geoip" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      split => { "x_forwarded_for" => ", " }
      convert => ["response", "integer"]
      convert => ["bytes", "integer"]
      convert => ["responsetime", "float"]
      convert => [ "[geoip][coordinates]", "float"]
    }
  }
}

The message gets broken out into fields, one of which is the request being the url requested.

I would like to know what alterations I will need to grok this request field and use kv (I think it's kv) to break that into keys and values from the querystring?

The querystring will have array-like values in it, for example: occasions[]=one&occasions[]=two if that is going to cause any issues.

I'm pretty new to this, and kind of understand it, but any help would be appreciated

john_6 · May 29, 2016, 2:29pm

I jut tried:

kv {
  source => "request"
  target => "query"
  trim => "<>\[\],"
  field_split => "&"
}

but nothing seems to have changed after a restart of logstash. Have I got this wrong?

magnusbaeck · May 29, 2016, 3:18pm

Please give an example of a message you want to parse.