从开始HTTPD_COMMONLOG
,您可以使用以下模式(可以在grok tester上进行测试):
grok {
match => {
"message" => "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:method} /api/v%{NUMBER:version}/places/search/json\?%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response_code} (?:%{NUMBER:data_transfered}|-)"
}
}
一旦grok过滤器提取了请求,就可以在其上使用kv过滤器,该过滤器将提取参数(并忽略参数不是特定于订单的问题)。您必须将field_split
选项设置为&:
kv {
source => "request"
field_split => "&"
}
对于search_query
,根据存在的字段,我们使用mutate
带有add_field
选项的过滤器来创建字段。
filter {
grok {
match => {
"message" => "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:method} /api/v%{NUMBER:version}/.*/json\?%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response_code} (?:%{NUMBER:data_transfered}|-)"
}
}
kv {
source => "request"
field_split => "&"
}
if [query] {
mutate {
add_field => { "search_query" => "%{query}" }
}
} else if [keyword] {
mutate {
add_field => { "search_query" => "%{keyword}" }
}
}
if [refLocation] {
mutate {
rename => { "refLocation" => "location" }
}
}
}