Hi guys,
i'm integrating log from proxy squid, there is a field called 'Original Received Request Header' that has data like below,
User-Agent:%20git/2.30.2%0D%0AProxy-Connection:%20Keep-Alive%0D%0AHost:%20github.private.com:443%0D%0A
So basically i want to remove http encodings and get the following,
User-Agent:git/2.30.2
Proxy-Connection:Keep-Alive
Host:github.private.com:443
Thanks in advance.
filter {
mutate{ gsub => [ "message", "%0D|%0A|%20", "" ] }
grok { match => { "message" => "User-Agent:%{DATA:User-Agent}Proxy-Connection:%{DATA:Proxy-Connection}Host:%{GREEDYDATA:Host}" } }
}
{
"User-Agent" => "git/2.30.2",
"Host" => "github.private.com:443",
"message" => "User-Agent:git/2.30.2Proxy-Connection:Keep-AliveHost:github.private.com:443",
"Proxy-Connection" => "Keep-Alive"
}
thanks @Rios, it's not the solution i use but you point me to the answer.
Let here what i implement,
mutate{ gsub => [ "requestheader", "%20", "" ] }
mutate{ gsub => [ "requestheader", "%0D|%0A", " " ] }
kv {
source => "requestheader"
value_split => ":"
}
Yes, you can use KV filer. For gsub just need to be tested, which is better for your case.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.