Parsing URL with Logstash (using ECS fields)

Vincent_Maury · October 30, 2019, 9:13am

Hi there
i've been working on a way to parse url into ecs fields, and it seems to be working well.
Hope it helps!

# Parser a url
filter {
    grok {
        match => [
            # match https://user:pwd@stuff.domain.com:8080/some/path?p1=v1&p2=v2#anchor
            "field", "%{URIPROTO:url.scheme}://(?:%{USER:url.username}:(?<url.password>[^@]*)@)?(?:%{IPORHOST:url.domain}(?::%{POSINT:url.port}))?(?:%{URIPATH:url.path}(?:%{URIPARAM:url.query}))?",
            # match stuff.domain.com:8080/some/path?p1=v1&p2=v2#anchor
            "field", "%{IPORHOST:url.domain}(?::%{POSINT:url.port})(?:%{URIPATH:url.path}(?:%{URIPARAM:url.query}))?",
            # match /some/path?p1=v1&p2=v2#anchor
            "field", "%{URIPATH:url.path}(?:%{URIPARAM:url.query})"
        ]
    }
    if "_grokparsefailure" not in [tags] {
        grok {
            match => {
                "url.query" => "^\?(?<url.query>[A-Za-z0-9$.+!*'|(){},~@%&/=:;_?\-\[\]<>]*)(?:#(?:%{WORD:url.fragment}))?"
            }
      overwrite => [ "url.query" ]
        }
        kv {
        source => "url.query"
        field_split => "&"
        target => "url.query.params"
        }
    }
}

Vincent_Maury · October 31, 2019, 11:57am

Here is a working example, also illustrating multiple matches (break_on_match true by default):

input {
  generator {
    count => 1
    message => 'https://user:pwd@stuff.domain.com:8080/some/path?p1=v1&p2=v2#anchor'
  }
}


# Parser a url
filter {
	grok {
		match => {
      message => [
  			# match https://user:pwd@stuff.domain.com:8080/some/path?p1=v1&p2=v2#anchor
  			"%{URIPROTO:url.scheme}://(?:%{USER:url.username}:(?<url.password>[^@]*)@)?(?:%{IPORHOST:url.domain}(?::%{POSINT:url.port}))?(?:%{URIPATH:url.path}(?:%{URIPARAM:url.query}))?",
  			# match stuff.domain.com:8080/some/path?p1=v1&p2=v2#anchor
  			"%{IPORHOST:url.domain}(?::%{POSINT:url.port})(?:%{URIPATH:url.path}(?:%{URIPARAM:url.query}))?",
  			# match /some/path?p1=v1&p2=v2#anchor
  			"%{URIPATH:url.path}(?:%{URIPARAM:url.query})"
      ]
		}
	}
	if "_grokparsefailure" not in [tags] {
		grok {
			match => {
				"url.query" => "^\?(?<url.query>[A-Za-z0-9$.+!*'|(){},~@%&/=:;_?\-\[\]<>]*)(?:#(?:%{WORD:url.fragment}))?"
			}
      overwrite => [ "url.query" ]
		}
		kv {
  		source => "url.query"
  		field_split => "&"
  		target => "url.query.params"
		}
	}
}


output {
  stdout {
    codec => json
  }
}

system · November 28, 2019, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing URL with Logstash (using ECS fields) nested! Logstash ecs-elastic-common-schema	4	4939	December 27, 2019
How do I map fields with ECS if I am using my own grok filters Logstash	1	215	April 18, 2022
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	754	March 2, 2021
Logstash/grok patterns with ECS Logstash ecs-elastic-common-schema	12	3203	November 10, 2020
Extract field from url? Logstash	11	1862	June 18, 2019

Parsing URL with Logstash (using ECS fields)

Related topics