[graylog2] Re: CSV to field converter using whitespace delimiter

Tue, 23 Aug 2016 19:20:06 -0700 

Going by the headers I'm guessing that's an IIS log?  As Jochen suggested 
previously, Grok is your friend.

These are the patterns I'm using for my IIS logs (one for entries with a 
referer and one without)

%{YEAR:year;int}-%{MONTHNUM:monthnum;int}-%{MONTHDAY:monthday;int}[T ](?!<[0
-9])%{HOUR:hour;int}:%{MINUTE:minute;int}(?::%{SECOND:second;int})(?![0-9]) 
%{IPORHOST:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{NOTSPACE:
cs_uri_query} %{NUMBER:s_port;int} %{NOTSPACE:cs_username} %{IPORHOST:c_ip} 
%{NOTSPACE:cs_user_agent} %{NUMBER:sc_status;int} %{NUMBER:sc_substatus;int} 
%{NUMBER:sc_win32_status;int} %{NUMBER:time_taken;long}

%{YEAR:year;int}-%{MONTHNUM:monthnum;int}-%{MONTHDAY:monthday;int}[T ](?!<[0
-9])%{HOUR:hour;int}:%{MINUTE:minute;int}(?::%{SECOND:second;int})(?![0-9]) 
%{IPORHOST:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{NOTSPACE:
cs_uri_query} %{NUMBER:s_port;int} %{NOTSPACE:cs_username} %{IPORHOST:c_ip} 
%{NOTSPACE:cs_user_agent} %{NOTSPACE:cs_referer} %{NUMBER:sc_status;int} %{
NUMBER:sc_substatus;int} %{NUMBER:sc_win32_status;int} %{NUMBER:sc_bytes;int
} %{NUMBER:cs_bytes;int} %{NUMBER:time_taken;long}



On Wednesday, 17 August 2016 01:28:21 UTC+10, [email protected] wrote:
>
> Hi,
>
>
> So it seems the CSV to field converter doesn't work with whitespace 
> delimiters?
>
> Sample log:
> 2016-08-16 15:14:20 192.168.20.100 POST /Clients - 80 DOMAIN\user 
> 192.168.30.171 
> Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36
>  
> 302 0 0 187
>
> I've tried both an actual whitespace and \s in the 'Separator character' 
> field but nothing does it.
>
>
> <http://i.imgur.com/mFQfekZ.png>
>
>
>
> Any tips or more doc on the matter so I can achieve this?
> I mean I can alternatively use GROK or do it from nxlog at the source but 
> I'd like this to work as well :)
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/557ce3d3-9993-4d61-ba59-dfd403432e08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to