Hey all, I'm using logstash 2.3 to pull in IIS logs into our little ES cluster running on site. Things are going well (albeit slowly) and now I can start to troll through some of our data I'm seeing a LOT of results from the user-agent filter return as either Other or Generic Smartphone (iPhone and iPad are in the lead).
Looking deeper, the first issue was that the regexes.yml file supplied with logstash is WAAAAY out of date. Replaced that and have (along with others) requested pull's on the github page https://github.com/logstash-plugins/logstash-filter-useragent/pull/15
Second issue is that a lot of the log entries are like this:
2015-12-30 00:00:04 10.131.23.197 POST /handheld/resource/jobsheet/index.cfm - 443 - 184.108.40.206 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+8_1_2+like+Mac+OS+X)+AppleWebKit/600.1.4+(KHTML,+like+Gecko)+Version/8.0+Mobile/12B440+Safari/600.1.4 200 0 0 36419 237
The user-agent string is (for whatever reason) replacing the standard spaces with "+" and it's this (I believe) that's causing the inaccurate matches.
How can we get the logstash-filter-useragent updated for both; latest regexes file AND support "+" as space?