从开始
HTTPD_COMMONLOG,您可以使用以下模式(可以在grok
tester上进行测试):
grok { match => { "message" => "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:method} /api/v%{NUMBER:version}/places/search/json?%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{data:rawrequest})" %{NUMBER:response_pre} (?:%{NUMBER:data_transfered}|-)" } }一旦grok过滤器提取了请求,就可以在其上使用kv过滤器,该过滤器将提取参数(并忽略参数不是特定于订单的问题)。您必须将
field_split选项设置为&:
kv { source => "request" field_split => "&"}对于
search_query,根据存在的字段,我们使用
mutate带有
add_field选项的过滤器来创建字段。
filter { grok { match => { "message" => "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:method} /api/v%{NUMBER:version}/.*/json?%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{data:rawrequest})" %{NUMBER:response_pre} (?:%{NUMBER:data_transfered}|-)" } } kv { source => "request" field_split => "&" } if [query] { mutate { add_field => { "search_query" => "%{query}" } } } else if [keyword] { mutate { add_field => { "search_query" => "%{keyword}" } } } if [refLocation] { mutate { rename => { "refLocation" => "location" } } }}
