将http_referer url参数和查询字符串拆分为人类可读的数据
将http_referer url参数和查询字符串拆分为人类可读的数据
提问于 2017-12-20 15:24:33
我有以下格式的nginx日志
165.225.106.84 - - [20/Dec/2017:12:44:45 +0530] "POST /api/auction/auctionmaster/onauctionmasterfilter HTTP/1.1" 200 3227 "http://auction-dev.iquippo.com/viewauctions?type=upcoming" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" "115.112.162.2" "{\x22auctionType\x22:\x22upcoming\x22,\x22addAuctionType\x22:true}"我想像这样分割我的http_referer值
domain:- http://auction-dev.iquippo.com
param1 :- viewauctions
param2:- if any
query_param1:- upcoming
and so on..我在elastic search论坛上尝试了这篇文章:- https://discuss.elastic.co/t/extracting-domain-from-url/36219
但它对我不起作用。
回答 1
Stack Overflow用户
发布于 2017-12-26 00:07:47
注意:可能会有打字错误,你不能直接复制粘贴,但这是你想要做的事情的开始。
首先将引用存储在一个变量中,然后使用add_tag添加标记,然后在标记中添加if标记。
grok {
match => { "access_log_line" => "%{LINE_WITH_REFERAL}"}
add_tag => [ "referal" ]
}
if "referal" in [tags] {
grok {
match => { "referal" => "%{POST0}" }
add_tag => [ "referal_step2" ]
}
}
if "referal" in [tags] {
grok {
match => [ "referal_uri" => "%{POST_COMP}" ]
}
}示例行:
3227 "http://auction-dev.iquippo.com/viewauctions?type=upcoming"
2522 "http://auction-dev.iquippo.com/viewauctions?foo?type=upcoming"
327 "http://auction-dev.iquippo.com/viewauctions?foo?bar?type=upcoming"整行的第一个GROK模式:
POST0 %{INT} "http://%{IPORHOST}/%{WORD:uri}\?%{GREEDYDATA:data}与您的参数匹配的GrokPatterns:
POST1 type=%{WORD:query_param}"
POST2 %{WORD:param1}?type=%{WORD:query_param}"
POST3 %{WORD:param1}?%{WORD:param2}?type=%{WORD:query_param}"
POST4 %{WORD:param2}?%{WORD:param2}?%{WORD:param3}?type=%{WORD:query_param}"
POST_COMP %{POST1}|%{POST2}|%{POST3}|%{POST4}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/47900774
复制相关文章
相似问题
腾讯云开发者
