Fields with brackets #25
Comments
|
Any update to this issue? thanks! :) |
|
Hello, Can you post an example of a raw line, the pattern you use and the expected value ? |
|
Hi there. pattern = "%{TIMESTAMP_ISO8601:logtime} %{WORD:s-sitename} %{WORD:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method} %{NOTSPACE:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs-version} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Referer)} %{IPORHOST:cs-host} %{NUMBER:sc-status} %{NUMBER:sc-substatus} %{NUMBER:c-win32-status} %{NUMBER:sc-bytes} %{NUMBER:cs-bytes} %{NUMBER:time-taken}" Note that the User-Agent field and Referer have brackets in the field name - unfortunately this is not something I can change on 200+ servers as will also break Splunk indexing. Example log item: 2018-02-02 00:01:32 W3SVC1 UKAPPSVR 172.18.131.173 GET /123/I/Home/PLMonstants - 80 Joe+Bloggs 172.18.17.185 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko https://blahblah.co.uk/theappname/live/app/thingy localhost 200 0 0 3393 2644 90 Tried all sorts but cannot get it to validate on http://grokconstructor.appspot.com/do/match Cheers Pete |
|
Hey @vjeantet Did my previous comment provide enough information to resolve the issue here? Thanks. Pete |
Hey guys.
It would appear this library doesn’t support field names with brackets ( ) in them. Specifically I’m matching IIS logs that have field names that uses brackets.
Is there a way of working around this or could this library be updated to support the use of brackets?
Cheers
Pete
The text was updated successfully, but these errors were encountered: