I want to extract the params in a path style url, it's something like this:
/cid/27/end/2017-12-15/format/json/pid/1600
and the result i want is like this: cid=27,end=2017-12-15,format=json,pid=1600
Is there any good filter plugin can doing this ?
Thanks guys.
I think you might be able to do this using the dissect filter and indirect field notation option (see documentation).
@Christian_Dahlqvist Thanks for your kind response.
Because of the unsure position of these parameters, the dissect filter may not help. and I decide to change my goal. Below is my method to extract some of those fields:
input {
file {
path => [ "/data0/logs/nginx/test.log" ]
}
}
filter {
grok {
match => {
"message" => "...(?<query_string>(/[a-zA-Z0-9-_]+)*)..."
}
overwrite => [ "host" ]
}
if [query_string] {
grok {
match => {
"query_string" => "/pid/(?\d+)"
}
}
grok {
match => {
"query_string" => "/cid/(?\d+)"
}
}
}
}
output {
stdout { codec => rubydebug }
}
=======================================
And finally what the result looks like this:
{
"method" => "GET",
"upstream_addr" => "172.16.1.12:9000",
"body_bytes_sent" => "3415",
"reqest_time" => "0.025",
"pid" => "1600",
"@timestamp" => 2017-11-27T08:53:24.315Z,
"@version" => "1",
"host" => "api.local.biz.com",
"client" => "127.0.0.1",
"upstream_response_time" => "0.025",
"time" => "24/Nov/2017:00:11:37 +0800",
"query_string" => "/cid/27/start/2017-12-15/format/json/pid/1600",
"status" => "200",
"cid" => "27"
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.