Skip to content

Instantly share code, notes, and snippets.

@linuxmalaysia

linuxmalaysia/logstash-grok-uri.txt

Last active March 18, 2019 15:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save linuxmalaysia/0caefb5a45d29a607ab5d262bca1aa59 to your computer and use it in GitHub Desktop.
Save linuxmalaysia/0caefb5a45d29a607ab5d262bca1aa59 to your computer and use it in GitHub Desktop.
Download ZIP
logstash grok uri. Find URL or URI in field data.
Raw
logstash-grok-uri.txt
# %{URI:uri}
#
# %{URIPROTO:uriproto}://(?:%{USER:user}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{URIPATHPARAM:uripathparam})?
#
# %{EMAILLOCALPART:emaillocalpart}@%{HOSTNAME:emailhostname}
#
# %{EMAILADDRESS:emailaddress}
### URI / URL
grok {
match => { "message" => "%{URI:uri}" }
}
if [uri] {
grok {
match => { "uri" => "%{URIPROTO:uriproto}://(?:%{USER:user}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{URIPATHPARAM:uripathparam})?" }
add_tag => [ "uri_exist_email" ]
}
}
### Email ###
grok {
match => { "message" => "%{EMAILADDRESS:emailaddress}" }
}
if [uri] {
grok {
match => { "emailaddress" => "%{EMAILLOCALPART:emaillocalpart}@%{HOSTNAME:emailhostname}" }
add_tag => [ "exist_email" ]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment