Skip to content

Instantly share code, notes, and snippets.

@TomonoriSoejima

TomonoriSoejima/case1

Last active June 20, 2017 08:24
Show Gist options
  • Save TomonoriSoejima/18561dbecc1534f5a854514297a217ee to your computer and use it in GitHub Desktop.
Save TomonoriSoejima/18561dbecc1534f5a854514297a217ee to your computer and use it in GitHub Desktop.
Download ZIP
ingest api with timestamp
Raw
case1
#pattern 1
POST _ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"kv": {
"field": "http_message",
"field_split": " ",
"value_split": ""
}
}
]
},
"docs": [
{
"_source": {
"http_message":"04/Jun/2017:06:26:49"
}
}
]
}
# pattern2
# this fails due to lack of value_split (=)
POST _ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"kv": {
"field": "http_message",
"field_split": " ",
"value_split": "="
}
}
]
},
"docs": [
{
"_source": {
"http_message":"04/Jun/2017:06:26:49"
}
}
]
}
# pattern 3
POST _ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"kv": {
"field": "http_message",
"field_split": " ",
"value_split": "="
}
}
]
},
"docs": [
{
"_source": {
"http_message":"request=\"GET / HTTP/1.0\""
}
}
]
}
Raw
case2
POST _ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"request=%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}"
]
}
},
{
"set": {
"field": "request",
"value": "{{verb}} {{request}} HTTP/{{httpversion}}"
}
}
]
},
"docs": [
{
"_source": {
"message": "request=GET / HTTP/1.0"
}
}
]
}
Raw
case3
POST _ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"kv": {
"field": "http_message",
"field_split": " ",
"value_split": "="
}
}
]
},
"docs": [
{
"_source": {
"http_message":"request=\"GET / HTTP/1.0\""
}
},
{
"_source": {
"http_message":"request=GET"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment