superwese/parse_alb_logs.txt

## parse_alb_logs.txt
fields @message
| parse @message /(?<type>[^ ]*) (?<time>[^ ]*) (?<elb>[^ ]*) (?<client_ip>[^ ]*):(?<client_port>[0-9]*) (?<target_ip>[^ ]*)[:-](?<target_port>[0-9]*) (?<request_processing_time>[-.0-9]*) (?<target_processing_time>[-.0-9]*) (?<response_processing_time>[-.0-9]*) (?<elb_status_code>|[-0-9]*) (?<target_status_code>-|[-0-9]*) (?<received_bytes>[-0-9]*) (?<sent_bytes>[-0-9]*) \"(?<request_verb>[^ ]*) (?<request_url>[^ ]*) (?<request_proto>- |[^ ]*)\" \"(?<user_agent>[^\"]*)\" (?<ssl_cipher>[A-Z0-9-]+) (?<ssl_protocol>[A-Za-z0-9.-]*) (?<target_group_arn>[^ ]*) \"(?<trace_id>[^\"]*)\" \"(?<domain_name>[^\"]*)\" \"(?<chosen_cert_arn>[^\"]*)\" (?<matched_rule_priority>[-.0-9]*) (?<request_creation_time>[^ ]*) \"(?<actions_executed>[^\"]*)\" \"(?<redirect_url>[^\"]*)\"(?<lambda_error_reason>$| \"[^ ]*\")(?<rest>.*)/
| display client_ip, request_url
	fields @message
	\| parse @message /(?<type>[^ ]) (?<time>[^ ]) (?<elb>[^ ]) (?<client_ip>[^ ]):(?<client_port>[0-9]) (?<target_ip>[^ ])[:-](?<target_port>[0-9]) (?<request_processing_time>[-.0-9]) (?<target_processing_time>[-.0-9]) (?<response_processing_time>[-.0-9]) (?<elb_status_code>\|[-0-9]) (?<target_status_code>-\|[-0-9]) (?<received_bytes>[-0-9]) (?<sent_bytes>[-0-9]) \"(?<request_verb>[^ ]) (?<request_url>[^ ]) (?<request_proto>- \|[^ ])\" \"(?<user_agent>[^\"])\" (?<ssl_cipher>[A-Z0-9-]+) (?<ssl_protocol>[A-Za-z0-9.-]) (?<target_group_arn>[^ ]) \"(?<trace_id>[^\"])\" \"(?<domain_name>[^\"])\" \"(?<chosen_cert_arn>[^\"])\" (?<matched_rule_priority>[-.0-9]) (?<request_creation_time>[^ ]) \"(?<actions_executed>[^\"])\" \"(?<redirect_url>[^\"])\"(?<lambda_error_reason>$\| \"[^ ]\")(?<rest>.*)/
	\| display client_ip, request_url