Hi guys,
i'm integrating log from proxy squid, there is a field called 'Original Received Request Header' that has data like below,
User-Agent:%20git/2.30.2%0D%0AProxy-Connection:%20Keep-Alive%0D%0AHost:%20github.private.com:443%0D%0A
So basically i want to remove http encodings and get the following,
User-Agent:git/2.30.2
Proxy-Connection:Keep-Alive
Host:github.private.com:443
Thanks in advance.
filter {
mutate{ gsub => [ "message", "%0D|%0A|%20", "" ] }
grok { match => { "message" => "User-Agent:%{DATA:User-Agent}Proxy-Connection:%{DATA:Proxy-Connection}Host:%{GREEDYDATA:Host}" } }
}
{
"User-Agent" => "git/2.30.2",
"Host" => "github.private.com:443",
"message" => "User-Agent:git/2.30.2Proxy-Connection:Keep-AliveHost:github.private.com:443",
"Proxy-Connection" => "Keep-Alive"
}
thanks @Rios, it's not the solution i use but you point me to the answer.
Let here what i implement,
mutate{ gsub => [ "requestheader", "%20", "" ] }
mutate{ gsub => [ "requestheader", "%0D|%0A", " " ] }
kv {
source => "requestheader"
value_split => ":"
}
Yes, you can use KV filer. For gsub just need to be tested, which is better for your case.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.