GitHub user dlyle65535 opened a pull request:
https://github.com/apache/incubator-metron/pull/202
METRON-242: Remove Squid Pattern
Squid emits access log lines with and without a ip_dst_addr. I replaced the
Squid grok pattern with a pattern that:
1) Better handles the non-whitespace characters that appear after the
timestamp
2) Is tolerant to different characters between the url and the ip_dst_addr
3) Makes ip_dst_addr optional
In order to test both, I refactored the GrokParserTest to allow testing of
different patterns with a single grok statement.
This was tested on quick-dev-platform.
Please don't let the JIRA title fool you, the Requester asked to remove it
or add a better one. I chose to add a better one.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/dlyle65535/incubator-metron METRON-242
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/202.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #202
----
commit 05f6738dcb5bc8340f321726570e32582c06c0a3
Author: David Lyle <[email protected]>
Date: 2016-07-26T15:22:08Z
METRON-242: Remove Squid Pattern
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
