Oh I agree and have switched to Grok since I posted the original message.
Yes those are IIS :)
However, Grok patterns takes much more time to configure where CSV
literally takes 20 sec to setup. I'm just getting lazy I suppose haha
Anyhow, CSV seems problematic for certain delimiters and poorly handles
exceptions (Exchange especially) so I'm using Grok from now on.
On Tuesday, 23 August 2016 22:19:54 UTC-4, Michael Anthon wrote:
>
> Going by the headers I'm guessing that's an IIS log? As Jochen suggested
> previously, Grok is your friend.
>
> These are the patterns I'm using for my IIS logs (one for entries with a
> referer and one without)
>
> %{YEAR:year;int}-%{MONTHNUM:monthnum;int}-%{MONTHDAY:monthday;int}[T
> ](?!<[0-9])%{HOUR:hour;int}:%{MINUTE:minute;int}(?::%{SECOND:second;int
> })(?![0-9]) %{IPORHOST:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{
> NOTSPACE:cs_uri_query} %{NUMBER:s_port;int} %{NOTSPACE:cs_username} %{
> IPORHOST:c_ip} %{NOTSPACE:cs_user_agent} %{NUMBER:sc_status;int} %{NUMBER:
> sc_substatus;int} %{NUMBER:sc_win32_status;int} %{NUMBER:time_taken;long}
>
> %{YEAR:year;int}-%{MONTHNUM:monthnum;int}-%{MONTHDAY:monthday;int}[T
> ](?!<[0-9])%{HOUR:hour;int}:%{MINUTE:minute;int}(?::%{SECOND:second;int
> })(?![0-9]) %{IPORHOST:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{
> NOTSPACE:cs_uri_query} %{NUMBER:s_port;int} %{NOTSPACE:cs_username} %{
> IPORHOST:c_ip} %{NOTSPACE:cs_user_agent} %{NOTSPACE:cs_referer} %{NUMBER:
> sc_status;int} %{NUMBER:sc_substatus;int} %{NUMBER:sc_win32_status;int} %{
> NUMBER:sc_bytes;int} %{NUMBER:cs_bytes;int} %{NUMBER:time_taken;long}
>
>
>
> On Wednesday, 17 August 2016 01:28:21 UTC+10, [email protected] wrote:
>>
>> Hi,
>>
>>
>> So it seems the CSV to field converter doesn't work with whitespace
>> delimiters?
>>
>> Sample log:
>> 2016-08-16 15:14:20 192.168.20.100 POST /Clients - 80 DOMAIN\user
>> 192.168.30.171
>> Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36
>>
>> 302 0 0 187
>>
>> I've tried both an actual whitespace and \s in the 'Separator character'
>> field but nothing does it.
>>
>>
>> <http://i.imgur.com/mFQfekZ.png>
>>
>>
>>
>> Any tips or more doc on the matter so I can achieve this?
>> I mean I can alternatively use GROK or do it from nxlog at the source but
>> I'd like this to work as well :)
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/4e7b6ef2-ff7d-4d7a-bd3c-091da077bff2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
