I am new to ELK, and need to figure out a way to pull a username out of the httpd messages I am currently sending to logstash. the message lines look like this:
I need to be able to parse out the userabc123 into a separate metric, but haven't found any pre-built code that can do it for me. Has anyone here come across a similar issue?
grok is one type of filter, dissect is another. Whilst grok solves a lot of pattern matching problems, dissect solves some of them more efficiently, so it is good to have both in your toolbox. Try
This assumes that the cn= field never contains a comma (it says that the comma ends the %{user1} field. But you would have the same fragility in grok. It looks like you could match "SSL_DN='cn=%{WORD:user2}" but what if the user name is more complex than a WORD?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.