Reputation: 109
grok pattern for extracting a portion of URI
I've been tasked with managing our ELK stack and writing rules for elastalert, but need a specific part of one field I already have as its own field in order to use elastalert's query_key functionality on that field. We're using these rules here:
https://github.com/hpcugent/logstash-patterns/blob/master/files/grok-patterns
- and the field I need is one part of a URIPATHPARAM which we already catch:
/path_field_1/UID/path_field_2/path_params
Where UID is a 32 character unique identifier of 0-9,a-z,A-Z. I can access the whole URI in Kibana, but I eventually need UID to be its own field so that I can use elastalert's query_key over it. The lines containing this UID are always preceded by "/path_to_field_1/".
As a total novice, I'm not sure what might be some (good?) ways to achieve this - and the documentation (which I've been pouring over for a week) is pretty arcane.
Upvotes: 1
Views: 1065
Answers (1)
Reputation: 4089
You were on the right track looking at grok, if the preceding bit is always the same, you could use grok to grab the UID
grok {
match => {
"uri_field" => "/path_to_field_1/%{DATA:UID}/%{GREEDYDATA}"
}
}
Upvotes: 2
Related Questions
- grok pattern to parse the logs in logstash
- Extract Parameter (sub-string) from URL GROK Pattern
- Logstash - parse data with grok
- GROK pattern to match URIPATH
- GROK pattern for HTTP URL
- Logstash grok filter apache pattern
- grok pattern to extract data from log message
- Multiple pattern to parse in Logstash
- grok filter for log pattern
- logstash grok parse url