Trying to filter out one parameter from the URI.
Sample:
"123.123.123.234" "yRETHGsggbbkndgddggddgRR" "03/Aug/2022:13:59:58 +0200" "34" "GET /api/v1/users/323408611/action/check-status HTTP/1.1" 200 26 "Apache-HttpClient/4.5.9 (Java)"
Pattern:
"%{IP:ip}" "%{DATA:rdmgen}" "%{HTTPDATE:timestamp}" "%{NUMBER:time}" "%{WORD:urimthd} %{PATH:path}(?:%{URIPARAM:param})? %{WORD:proto}/%{NUMBER:proto_ver}" %{NUMBER:status} %{NUMBER:total} "%{GREEDYDATA:agent}"
123456789 - is userid
URIPARAM is optional, sometime params will add sometimes params won't add in the logs. I'm trying to filter this 9 digit numbers in URI but. Is there any way to filter the number and also with uri and optional uri param?
thanks
use a KV filter for this or multi pattern grok like here:
filter {
grok {
match => { "message" => "%{IP:ip}" "%{DATA:rdmgen}" "%{HTTPDATE:timestamp}" "%{NUMBER:time}" "%{WORD:urimthd} %{PATH:path}(?:%{URIPARAM:param})? %{WORD:proto}/%{NUMBER:proto_ver}" %{NUMBER:status} %{NUMBER:total} "%{GREEDYDATA:agent}"}
}
grok {
match => { "param" => "user\/%{WORD:user}"}
}
}