I am attempting to parse and structured a raw proxy data using GROK filter in the ELK stack and I can,t get the timestamp and user agent string in the correct format. Do refer to sample log as follows:
"1488852784.440 1 10.11.62.19 TCP_DENIED/403 0 GET http://xxx.xxx.com/xxx - NONE/- - BLOCK_WEBCAT_12-XXX-XXX-NONE-NONE-NONE-NONE <IW_aud,0.0,-,""-"",-,-,-,-,""-"",-,-,-,""-"",-,-,""-"",""-"",-,-,IW_aud,-,""-"",""-"",""Unknown"",""Unknown"",""-"",""-"",0.00,0,-,""-"",""-"",-,""-"",-,-,""-"",""-""> - L ""http://xxx.xxx.xxx"" 10.11.11.2 - 403 TCP_DENIED ""Streaming Audio"" - - - GET ""Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"" http://xxx.xxx.xxx"
I am using the following filter:
%{NUMBER:timestamp}%{SPACE}%{NUMBER:request_msec:float} %{IPORHOST:src_ip} %{WORD}/%{NUMBER:response_status:int} %{NUMBER:response_size} %{WORD:http_method} (%{URIPROTO:http_proto}://)?%{IPORHOST:dst_host}(?::%{POSINT:port})?(?:%{NOTSPACE:uri_param})? %{USERNAME:user} %{WORD}/(%{IPORHOST:dst_ip}|-)%{GREEDYDATA:content_type}
based on http://grokconstructor.appspot.com, I am able to parse out some of the fields except the timestamp (1488852784.440) and User Agent String. I have tried different Drok default filters on the timestamp but it still shows as numbers.
thank you.