Good day!
I want to create additional field for nginx access log. This field must contain left octets of IP-address. For examle. If remote IP is 192.168.1.10, field will contain only 192.168.1.
Sorry, my English is not very good.
Best regards, roonick
You will need to extract this with an ingest pipeline, or similar, but it's possible.
That should be pretty easy with a Grok pattern (A custom one just for fun), there you go:
Input
172.17.7.10
Custom Grok Pattern
LEFTIP (?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.])
Grok Pattern
%{LEFTIP:client}
Output
{
"client": [
[
"172.17.7."
]
]
}
You can practice at https://grokdebug.herokuapp.com
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.