AWS ALB Classifier

aws_alb_grok_pattern

^%{DATA:http} %{TIMESTAMP_ISO8601:timestamp} %{DATA:gateway} %{URIHOST:client} %{URIHOST:target} %{NUMBER:request_processing_time} %{NUMBER:target_processing_time} %{NUMBER:response_processing_time} %{WORD:elb_status_code} %{WORD:target_status_code} %{NUMBER:received_bytes} %{NUMBER:sent_bytes} "%{REQUEST:target_request}" "%{DATA:user_agent}" %{DATA:ssl_cipher} %{DATA:ssl_protocol} %{DATA:target_group_arn} "%{DATA:trace_id}" "%{DATA:domain_name}" "%{DATA:chosen_cert_arn}" %{NUMBER:matched_rule_priority}$

AWS ALB Logs Grok Classifier
Custom patterns

HTTP_TYPE ([A-Z])\w+
HTTP \w+\/\d\.\d
MY_URIHOST %{IPORHOST:domain_name}(?::%{POSINT})?
MY_URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{MY_URIHOST})?(?:%{URIPATHPARAM})?
REQUEST %{HTTP_TYPE:http_method} %{MY_URI:url} %{HTTP:http_version}

Based off https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
Also MY_URI was used instead of URI because, for whatever reason in my production logs domain_name was sometimes set to - instead of the actual domain_name. So i ignored this value and instead tracked it down through the URI.