Split an output of a kv filter

Elastic Stack Logstash
1

Hi

Below is my logstash filter configuration.

filter {
if [type] in [ "apache" , "apache_access" , "apache-access" ] {
grok {
match => [
"message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}",
"message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"
]
overwrite => [ "message" ]
}
kv {
source => "extra_fields"
field_split => ",/"
}
csv {
source => "extra_fields"
target => "fieldlist"
}

  mutate {
     convert => ["response", "integer"]
     convert => ["bytes", "integer"]
     convert => ["responsetime", "float"]
  }

mutate {
split => {"extra_fields" => "," }
}

  geoip {
     source => "clientip"
     target => "geoip"
     add_tag => [ "apache-geoip" ]
  }
  date {
     match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
     remove_field => [ "timestamp" ]
  }
  useragent {
     source => "agent"
  }

}

How can i Split data of fieldlist even more.
ie,

Selection_002
Selection_002.png1192×587 175 KB
I want to filter fieldlist.column4 even more till the third occurence of a '/' and store it in a new field.

2

Please do not post pictures of text, just post the text. You need to split the field called fieldlist.column4. What is the pattern of the data in that field, and can you provide an example of the data?

Given that you have not shown what the input data looks like, it does not help us to help you for you to show us the rest of your configuration.

3

Hi Badger,
Thanks for the reply.

Input to Field is
careers.azimpremjifoundation.org, 1160476, 200, POST /ApplyJobAPI/applyJobWithCustomFields HTTP/1.1

Here
fieldlist.column1 will have data as careers.azimpremjifoundation.org
fieldlist.column2 will have data as 1160476
fieldlist.column3 will have data as 200
fieldlist.column4 will have data as /ApplyJobAPI/applyJobWithCustomFields HTTP/1.1

My fieldlist.column4 has data's like:

  1. /ccubeAPI/getCompanyConfigurationDetails/15119
  2. /profileAPI/getProfile/1209895
  3. /manage/angular-pages/custom-fields-directive.html
  4. /userAPI/loginAccess
  5. /common-files-v1.0/common-htmls/view-file-template.html
  6. /ccubeAPI/getJobForUrl/teacher-educator-chhattisgarh-india-karnataka-india-madhya-pradesh-india-puducherry-india-rajasthan-india-telangana-india-uttarakhand-india-201901260802088.

So from this I have to Filter fieldlist.column4 data till the third occurence of a '/' and store it in a new field.

4

Does

grok { match => { "[fieldlist][column4]" => "^(?<someField>/[^/]+/[^/]+/)" } }

do what you want?

1 Like
5

Kudos!!!
This does my work:)
Thank You So much Badger.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.