Yikes! How do you 'extract' specific info from specific messages!

Afternoon everyone,

I have rcently setup a failover HAProxy cluster to load balance to a series of IIS backend servers - it was a bit of learning curve but got there in the end.

I then thought it would be a good idea to setup some form of Syslog server to parse the logs to - I came across Graylog which hasn’t up until now been too bad to get my head around…until now!

So as it stands I have the HAProxy servers pumping logs into Graylog - but I have absolutely no idea how to extract the specific information in order to build the dahboards. Below is a typical message:

"haproxy[18542]: [29/May/2019:13:37:05.657] http_front http_back/ukbca2016lansa2.autologic.int 0/0/0/710/710 200 1090 - - ---- 5/5/0/1/0 0/0 “POST /dcxpgmlib/lansaweb?w=SM_DATASE&r=SR_GETVEHICLES&vlweb=1&part=dem&lang=ENG&developer=yes&_T=1559133425600 HTTP/1.1”

Ideally I would like to be able to extract specifically the response times so I can put them in a graph output. Does anyone have a definitive way of doing this. I’ve come across some documentation but to be honest it’s way over my head. so I need a how to ,or a step by step so I can process the way it works.
Any helpt greatly appreciated

I don’t have a step-by-step guide, because every needs are different.
You can extract the fields with grok extractor. Maybe it is the simplest way.
After if you need make an elastic mapper, to set the fields to the correct format, and make what you wish on dashboard with the data.

Thank you - I’ll look into that

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.