Skip to content

Instantly share code, notes, and snippets.

@tomashley
Forked from kangguru/extractor.json
Last active August 29, 2015 14:17
Show Gist options
  • Save tomashley/d8c2b84c3466358b929e to your computer and use it in GitHub Desktop.
Save tomashley/d8c2b84c3466358b929e to your computer and use it in GitHub Desktop.
{
"extractors": [
{
"condition_type": "string",
"condition_value": "sudo:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "sudo:\\s+(\\S+)\\s+:"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "sudo_executor",
"title": "Sudo Executor"
},
{
"condition_type": "string",
"condition_value": "sudo:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "sudo:.+COMMAND=(.+);?"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "sudo_command",
"title": "Sudo Command"
},
{
"condition_type": "string",
"condition_value": "sudo:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "sudo:.+USER=(\\S+)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "sudo_command_user",
"title": "Sudo Command User"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "syslog_pri_level"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\d <(.+)>"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "level",
"title": "Level/Severity"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "syslog_pri_facility"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\d <(.+)>"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "facility",
"title": "Facility"
},
{
"condition_type": "string",
"condition_value": "method=",
"converters": [
{
"config": {},
"type": "lowercase"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "method=(.+?)(\\s|$)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "http_method",
"title": "HTTP method"
},
{
"condition_type": "string",
"condition_value": "path=",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "path=(.+?)(\\s|$)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "path",
"title": "Path"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "view=(.+?)(\\s|$)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "view_duration",
"title": "View duration"
},
{
"condition_type": "none",
"condition_value": "",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "db=(.+?)(\\s|$)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "db_duration",
"title": "DB Duration"
},
{
"condition_type": "string",
"condition_value": "duration",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "duration=(.+?)(\\s|$)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "request_duration",
"title": "Request duration"
},
{
"condition_type": "regex",
"condition_value": "\\[([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\]",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\]"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "request_id",
"title": "Request ID"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:\\s+(\\S+)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "remote_addr",
"title": "Remote Address"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx: \\S+ - (\\S+)"
},
"extractor_type": "regex",
"order": 1,
"source_field": "message",
"target_field": "remote_user",
"title": "Remote User"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [
{
"config": {
"date_format": "dd/MMM/YYYY:HH:mm:ss Z"
},
"type": "date"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?\\[(.+?)\\]"
},
"extractor_type": "regex",
"order": 2,
"source_field": "message",
"target_field": "timestamp",
"title": "Request Timestamp"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+\\[.+\\] \"(\\S+)"
},
"extractor_type": "regex",
"order": 3,
"source_field": "message",
"target_field": "request_verb",
"title": "Request Verb"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?\"\\S+ (\\S+).+\""
},
"extractor_type": "regex",
"order": 4,
"source_field": "message",
"target_field": "request_path",
"title": "Request Path"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+HTTP/(\\S+)\""
},
"extractor_type": "regex",
"order": 5,
"source_field": "message",
"target_field": "http_version",
"title": "HTTP Version"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" (\\d+)"
},
"extractor_type": "regex",
"order": 6,
"source_field": "message",
"target_field": "response_status",
"title": "Response Status"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" \\d+ (\\d+)"
},
"extractor_type": "regex",
"order": 7,
"source_field": "message",
"target_field": "response_bytes",
"title": "Response Bytes"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" \\d+ \\d+ \"(.+?)\""
},
"extractor_type": "regex",
"order": 9,
"source_field": "message",
"target_field": "http_referer",
"title": "HTTP Referer"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" \\d+ \\d+ \".+?\" \"(.+?)\""
},
"extractor_type": "regex",
"order": 8,
"source_field": "message",
"target_field": "http_user_agent",
"title": "HTTP User Agent"
},
{
"condition_type": "regex",
"condition_value": ".+connection=.+",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "connection=(.+?)\\|"
},
"extractor_type": "regex",
"order": 10,
"source_field": "message",
"target_field": "connection_id",
"title": "Connection ID"
},
{
"condition_type": "regex",
"condition_value": ".+connection_requests=.+",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "connection_requests=(.+?)\\|"
},
"extractor_type": "regex",
"order": 11,
"source_field": "message",
"target_field": "connection_requests",
"title": "Connection requests"
},
{
"condition_type": "regex",
"condition_value": ".+millis=.+",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "millis=(.+?)>"
},
"extractor_type": "regex",
"order": 12,
"source_field": "message",
"target_field": "millis",
"title": "Response time"
},
{
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "nginx:.+?\\\"(\\S+.+HTTP\\/\\S+)\\\" \\d+"
},
"extractor_type": "regex",
"order": 13,
"source_field": "message",
"target_field": "message",
"title": "Message"
},
{
"condition_type": "regex",
"condition_value": "\\[(\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b)\\]",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[(\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b)\\]"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "remote_addr",
"title": "Remote Address"
},
{
"condition_type": "string",
"condition_value": "status=",
"converters": [
{
"config": {},
"type": "numeric"
}
],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "status=(.+?)(\\s|$)"
},
"extractor_type": "regex",
"order": 0,
"source_field": "message",
"target_field": "response_status",
"title": "Response Status"
}
],
"version": "0.20.3"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment