elb-access-log-to-combined.awk

#!/usr/bin/env gawk
# 
# Transform ELB access log to Apache/Nginx combined access log format - useful for replaying ELB logs with JMeter
#
BEGIN {

}
# ----
{
  # 2016-04-20T15:05:39.777359Z elb_name 18.187.30.86:47983 10.0.11.143:80 0.000023 0.375377 0.000026 200 200 0 8853 "GET https://host.example.com:443/v1.1/listings?bounds[top_left][latitude]=34.055969&bounds[top_left][longitude]=-118.041738&bounds[bottom_right][latitude]=33.937845&bounds[bottom_right][longitude]=-117.918142&types=funstuff&limit=200 HTTP/1.1" "Dalvik/2.1.0 (Linux; U; Android 5.1; HTC Desire 626s Build/LMY47O)" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
  
  #http://stackoverflow.com/questions/6619619/awk-consider-double-quoted-string-as-one-token-and-ignore-space-in-between
  split($0, q, "\"")
  url=q[2]
  user_agent=q[4]

  timestamp=$1
  elb=$2
  client=$3 #ip:port
  backend=$4 #ip:port
  request_processing_time=$5
  backend_processing_time=$6
  response_processing_time=$7
  response=$8
  backend_response=$9
  received_bytes=$10
  bytes=$11
  enc=$(NF - 1)
  tls=$NF

  request = gensub(/(http.*:\/\/[[:alnum:].-]+):([[:digit:]]+)(.+)/,"\\3","g",url)
  print client, "- - [" timestamp "] \"" request "\"", response, bytes, "\"no_referrer_in_elb_logs\" \"" user_agent "\""
}
# ----
END {
}

# vim: ts=2 sts=2 sw=2 et

if anyone else encounters this, as of 2018-06 it appears the first field in the logs is the protocol (https vs. h2) so the fields are shifted right by 1.