insultant
Reputation: 87
Rsyslog template capture groups
I am creating an Rsyslog template to parse apache logs into JSON in order to send to elastic search.
I am presently trying to capture the request time from the access_log but cannot seem to get my regular expression to work properly.
Rsyslog config of template constant:
constant(value="\",\"request_time\":\"") property(name="msg" regex.expression="(\\[(.*)\\])" regex.type="ERE" regex.match="2")
I continually get "NO MATCH" from this even though the regex appears to work on the rsyslog regex test page. If I replace regex.match with 0 I get the full timestamp but it includes the []'s which I am hoping to avoid.
Example request:
192.168.33.1 - - [30/Mar/2016:08:45:38 +0000] "GET /TEST HTTP/1.1" 404 281 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36"
Any suggestions would be appreciated. Thanks!
Upvotes: 0
Views: 1108
Answers (1)
insultant
Reputation: 87
I managed to get it working by narrowing down the specific data I wanted rather than "anything in between those square braces":
constant(value="\",\"request_time\":\"") property(name="msg" regex.expression="([0-9]*\\/[a-zA-Z]*\\/[0-9]*:[0-9]*:[0-9]*:[0-9]{2})" regex.type="ERE" regex.match="0")
Upvotes: 1
Related Questions
- Rsyslog Regex and DynaFile template
- The %procid% sometimes blank in rsyslog template
- No existing Kibana index found . Unable to connect to Elasticsearch
- create a Grok filter for a specific date pattern in logstash
- what is the right way to extract rest api's in logstash
- Kibana showing only a limited number of data - ELK Stack
- Logstash and elastic search: Split up values within a value