Hi I need to separate the response time in the Screenshot which is "0" and create a new field for it how to do this?
Is it some kind of web access log? You can use Grok, Dissect, or CSV (if the log is in csv format) to parse.
Yes those are access logs.
Now am trying to dissect all the fields
10.160.7.4 - - [20/Sep/2017:05:03:19 -0500] 0 "GET /" 200 3493
%{IPORHOST:clientip} %{USER:ident} %{USER:ident} \[%{HTTPDATE:timestamp}\] %{NOTSPACE:request}
This is what i had used for GROK filter what will be the dissect filter for the same logs.
I used this
dissect => {
mapping => {
"message" => [
"%{IPORHOST:clientip} %{USER:ident} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] %{NOTSPACE:request} \"(?:%{WORD:verb} \/%{WORD:application}%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{WORD:ServerHost}:%{WORD:ServerPort})"
]
}
}
This does not seem to work.
If it's a custom access log, you can play with Grok using https://grokdebug.herokuapp.com/. Otherwises, just search in the forum for patterns for common access log types like Apache, nginx, or IIS.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.