logstash grok parse url

Question

I have been searching online, but cannot quite figure this out.

grok {
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{URIPATH:url}
}

I need to get contents out of the url and put stuff it in elastic search.

Logs have urls like this

URL 1 = /NEED_A/Constant_A/Constant_B/Constant_C/Need_B/Constant_D/Need_C/Need_D

URL 2 = /NEED_A/Constant_A /Constant_B/Constant_C/Need_B/Constant_D

URL 3 = /Wierd_A

Need_A, NEED_B, NEED_C, Need_D, Wierd_A should go in respective fields.

I have been trying to find a if else-if loop, but not really gotten anything yet.

grok {
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} {URIPATH:url} %]
  }
if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D/*/*" {
    \/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/%{WORD:NEED_C}
}

else-if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D" {
    \/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/
}
else-if
    //something similar for url 3
}
//move on if nothing matches

Any thoughts?

score 1 · Accepted Answer · answered Sep 21 '15 at 21:39

1

logstash isn't a looping type system.

If you want to run multiple patterns against your input, just list them:

grok {
    match => {
        "message" => [
            "%{PATTERN1}",
            "%{PATTERN2}"
        ]
    ]
}

answered Sep 21 '15 at 21:39

Alain Collins

16,268
2
32
55

logstash grok parse url

1 Answers1