Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4.0
-
None
Description
ExtractGrok support named captures only option.
Currently, ExtractGrok returns all matches for a grok pattern. In some case, this is verbose.
Following example parse apache common access log.
83.149.9.216 - - [17/May/2015:10:05:03 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36
Disable named captures only
{ "grok.auth": "-", "grok.timestamp": "17/May/2015:10:05:03 +0000", "grok.httpversion": "1.1", "grok.HOUR": "10", "grok.ident": "-", "grok.SECOND": "03", "grok.HTTPD_COMMONLOG": "83.149.9.216 - - [17/May/2015:10:05:03 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023", "grok.USERNAME": "[-, -]", "grok.IP": "83.149.9.216", "grok.clientip": "83.149.9.216", "grok.verb": "GET", "grok.EMAILADDRESS": "[null, null]", "grok.request": "/presentations/logstash-monitorama-2013/images/kibana-search.png", "grok.EMAILLOCALPART": "[null, null]", "grok.INT": "+0000", "grok.BASE10NUM": "[1.1, 200, 203023]", "grok.YEAR": "2015", "grok.IPV4": "83.149.9.216", "grok.MINUTE": "05", "grok.HOSTNAME": "[null, null, null]", "grok.USER": "[-, -]", "grok.response": "200", "grok.bytes": "203023", "grok.TIME": "10:05:03", "grok.MONTH": "May", "grok.MONTHDAY": "17" }
Enable named captures only
{ "grok.request": "/presentations/logstash-monitorama-2013/images/kibana-search.png", "grok.auth": "-", "grok.ident": "-", "grok.timestamp": "17/May/2015:10:05:03 +0000", "grok.httpversion": "1.1", "grok.clientip": "83.149.9.216", "grok.response": "200", "grok.bytes": "203023", "grok.verb": "GET" }
Attachments
Issue Links
- links to