how to get missing field from apache log into event

Question

I'm trying to setup logstash to parse apache logs in a custom format.

This grok filter works, except that %{URIHOST} does not get into the imported data.

grok {
    match => { "message" => "%{URIHOST} %{COMBINEDAPACHELOG}" }
}

A raw line of the log file looks like:

yards-dev.oursite.org:80 192.168.1.114 - - [15/Apr/2015:10:49:28 -0400] "GET /about-us/chapters/dc HTTP/1.0" 200 8463 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"

I'm trying to capture 'yards-dev.oursite.org' into an indexed field.

score 0 · Answer 1 · answered Apr 15 '15 at 19:27

adding :fieldname worked

 match => { "message" => "%{URIHOST:hostname} %{COMBINEDAPACHELOG}" }

I used :hostname because when I tried to use :host which already has a mapping but is coming up as 0.0.0.0 in my data my captured value was appended to the useless value.

There are useless values like host=0.0.0.0 and values that never get populated that I would like to remove, I guess that's the next thing to figure out.

how to get missing field from apache log into event

1 Answers1