Help with extractor


(Anvers) #1

Hi everyone,

i need help with the extractor. Is its possible, i need separate this message:

LIWSVAN01VPR: <Thu, 06 Sep 2018 17:38:11,ART> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=Castro Albornoz, Leonora,tk_url=https://www.youtube.com/,tk_size=2887,tk_date_field=2018-09-06 17:38:11-0300,tk_protocol=https,tk_mime_content=image/jpeg,tk_server=LIWSVAN01VPR,tk_client_ip=172.20.5.35,tk_server_ip=216.58.202.46,tk_domain=www.youtube.com,tk_path=/,tk_file_name=,tk_operation=CONNECT,tk_uid=0037241788-efa175e8d476f3110962,tk_category=0,tk_category_type=0

Only need

[EVT_URL_ACCESS_TRACKING|LOG_INFO]
username=Castro Albornoz, Leonora
_url=https://www.youtube.com/

I try with split & index but i dont have lucky

Someone can help me please?

thanks!


#2

I can suggest the simple way, do 2 different extractor (username, url)


regexp based extractor eg. tk_url=(.*),tk_size
(or you can play with grok patterns if you have a lot of time :slight_smile: )

If you don’t need the full message you can drop it with pipeline
eg. if username and url fields are exist, remove the message or overwrite with “” but I don’t know it is supported or not, I haven’t tried yet.


(Jan Doberstein) #3

I personal would try with a GROK extractor or Processing Pipeline.


(Anvers) #5

Thanks!!!


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.