1

We are sending Apache access logs to Graylog (2.1.1). We have 70+ websites and I want to build a quick value chart for say all requests that resulted in a 5xx response. Currently when I create said chart www.somedomain.com and somedomain.com are treated separately, I want to combine the count for those 2 variants of the same site. So if the counts for 5xx errors were:
www.somesite.com 10
somesite.com 5
www.someother.com 3
someother.com 4
The quick chart would would have the following:
somesite.com 15
someother.com 7

How can I achieve that?
Thanks in advance.

grahamjgreen
  • 951
  • 2
  • 8
  • 12
  • Your SEO department should yell at you for not doing a 301 on the root to www. domain....which would also fix the issue. – Jacob Evans Oct 25 '16 at 23:37
  • Actually it looks like we should be doing the reverse by way of a rule in our Varnish VCL: if ( req.http.Host ~ "^www\.") { return (synth(301, req.http.Host)); } But I've yet to dig into that and if true why it's not doing it for all requests, but that's another story. ;) – grahamjgreen Oct 26 '16 at 00:28
  • lol that's a mistake but you'll figure that out another day. – Jacob Evans Oct 26 '16 at 00:31
  • I've no doubt, I'm uncovering a lot of mistakes as I dig deeper into this environment. – grahamjgreen Oct 26 '16 at 00:35
  • ansible galaxy can help a lot – Jacob Evans Oct 26 '16 at 00:42

1 Answers1

1

you could add a grok filter like www.%{HOST}|%{HOST} as an extractor to split out a new value to "site_hostname" and then use that to filter.

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57