Keeping last part of field only in logstash -
how can trim last part of key in logstash?
i have urls formatted in form of http://aaa.bbb/get?a=1&b=2
, putting them 'request' , splitting field based on '?&' save parameters.
i care specific api call, , not host or protocol. filter(s) can chain keep part after final '/'? i've read bit on patterns haven't stumbled upon how reference last part of split field.
grok { match => [ "message", "%{timestamp_iso8601:timestamp} %{notspace:loadbalancer} %{ip:client_ip}:%{number:client_port:int} %{ip:backend_ip}:%{number:backend_port:int} %{number:request_processing_time:float} %{number:backend_processing_time:float} %{number:response_processing_time:float} %{number:elb_status_code:int} %{number:backend_status_code:int} %{number:received_bytes:int} %{number:sent_bytes:int} %{qs:request}" ] } date { match => [ "timestamp", "iso8601" ] } kv { field_split => "&?" source => "request" }
i suggest taking existing uri-related patterns , modifying them needs. note uripathparam parses out uripath , uriparam doesn't shove them fields.
so, make own uripathparam:
myuripathparm uripathparam %{uripath:uripath}(?:%{uriparam:uriparam})?
and call own uri:
myuri uri %{uriproto}://(?:%{user}(?::[^@]*)?@)?(?:%{urihost})?(?:%{myuripathparam})?
in previous grok{}, ended %{request}. make new grok{} runs [request] through myuri, , should end 2 fields you're after.
Comments
Post a Comment