Created by
Daniel Chalk
last modified
| # Very cheap & nasty Grok expression to be used with DataDogs log processor
alb.http %{_http_protocol} %{_date_access} %{_elb_name} (%{_client_ip}:%{_client_port}|-) (%{_target_ip}:%{_target_port}|-) %{_request_processing_time} %{_backend_processing_time} %{_reponse_processing_time} (?:%{_status_code}|-) (?:%{_backend_status_code}|-) %{_bytes_read} %{_bytes_written} "(?>%{_method} |- )%{_url}(?> %{_version}| - )" "%{_user_agent}" %{_ssl_cipher} %{_ssl_protocol} %{_arn} "%{_trace}" "%{_domain}" "%{_cert}"
# Patterns
_http_protocol %{word:http.protocol}
_date_access %{date("yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ"):date_access}
_elb_name %{notSpace:elb.name}
_target_ip %{ipOrHost:network.target.ip}
_target_port %{integer:network.target.port}
_client_ip %{ipOrHost:network.client.ip}
_client_port %{integer:network.client.port}
_request_processing_time %{number:elb.performance.request_processing_time:scale(1000)}
_backend_processing_time %{number:elb.performance.backend_processing_time:scale(1000)}
_reponse_processing_time %{number:elb.performance.response_processing_time:scale(1000)}
_status_code %{integer:http.status_code}
_backend_status_code %{integer:elb.backend_status_code}
_ssl_cipher %{notSpace:http.ssl.cipher:nullIf("-")}
_ssl_protocol %{notSpace:http.ssl.protocol:nullIf("-")}
_bytes_written %{integer:network.bytes_written}
_bytes_read %{integer:network.bytes_read}
_response_time %{number:http.response_time}
_version HTTP\/%{regex("\\d+\\.\\d+"):http.version}
_url %{notSpace:http.url:nullIf("-")}
_user_agent %{regex("[^\\\"]*"):http.useragent:nullIf("-")}
_method %{word:http.method}
_arn %{notSpace:elb.target_group_arn}
_trace %{notSpace:elb.trace_id}
_domain %{notSpace:elb.domain}
_cert %{notSpace:elb.cert_arn}
# Sample Data - More Samples are needed
#http 2017-12-21T22:15:01.198958Z app/avst-private/a51b8994a6e07665 10.0.0.107:55852 10.0.0.160:32784 0.000 0.012 0.000 200 200 230 711 "GET http://internal-avst-private-1112096183.us-west-2.elb.amazonaws.com:80/tenant/v1/tenant/com.onresolve.jira.groovy.groovyrunner/jira:12965739
|
