Closed matejzero closed 6 years ago
Hello,
I have an apache log looking like this:
[04/Jun/2018:07:51:29 +0200] test.example.com:80 10.10.10.2 - GET "/noindex/css/fonts/Semibold/OpenSans-Semibold.ttf"
When I write my test cases, I escape my line to make it JSON valid and at the end, my json file looks like so:
{ "codec": "line", "fields": { "type": "access", "appid": "httpd", "host": "testhost", "syslog_format": "false" }, "ignore": [ "logstash_node" ], "testcases": [ { "description": "http request", "input": [ "[04\/Jun\/2018:07:51:29 +0200] test.example.com:80 10.10.10.2 - GET \"\/noindex\/css\/fonts\/Semibold\/OpenSans-Semibold.ttf\"" ], "expected": [ { } ] } ] }
The problem is that when LFV sends the line to the Logstash, it leaves backslashes before double-quotes around request URL and tests fails (since the original log files don't have backslashed quotes).
GROK pattern for log: \[%{HTTPDATE:timestamp}\] %{DATA:vhost}:%{POSINT:port} %{IP:clientip} %{ARNESHTTPDUSER:user} %{WORD:method} \"%{DATA:urlpath}\" \"%{DATA:urlquery}\" %{NUMBER:response} %{NUMBER:servetime} (?:%{NUMBER:bytes}|-) \"%{DATA:referrer}\" %{QS:useragent}
\[%{HTTPDATE:timestamp}\] %{DATA:vhost}:%{POSINT:port} %{IP:clientip} %{ARNESHTTPDUSER:user} %{WORD:method} \"%{DATA:urlpath}\" \"%{DATA:urlquery}\" %{NUMBER:response} %{NUMBER:servetime} (?:%{NUMBER:bytes}|-) \"%{DATA:referrer}\" %{QS:useragent}
Output: "message": "[04/Jun/2018:07:51:29 +0200] test.example.com:80 10.10.10.2 - GET \"/noindex/css/fonts/Semibold/OpenSans-Semibold.ttf\"",
"message": "[04/Jun/2018:07:51:29 +0200] test.example.com:80 10.10.10.2 - GET \"/noindex/css/fonts/Semibold/OpenSans-Semibold.ttf\"",
Am I doing this wrong?
I replaced double quotes with singles inside the log file and that was that:) Quick and easy.
Hello,
I have an apache log looking like this:
When I write my test cases, I escape my line to make it JSON valid and at the end, my json file looks like so:
The problem is that when LFV sends the line to the Logstash, it leaves backslashes before double-quotes around request URL and tests fails (since the original log files don't have backslashed quotes).
GROK pattern for log:
\[%{HTTPDATE:timestamp}\] %{DATA:vhost}:%{POSINT:port} %{IP:clientip} %{ARNESHTTPDUSER:user} %{WORD:method} \"%{DATA:urlpath}\" \"%{DATA:urlquery}\" %{NUMBER:response} %{NUMBER:servetime} (?:%{NUMBER:bytes}|-) \"%{DATA:referrer}\" %{QS:useragent}
Output:
"message": "[04/Jun/2018:07:51:29 +0200] test.example.com:80 10.10.10.2 - GET \"/noindex/css/fonts/Semibold/OpenSans-Semibold.ttf\"",
Am I doing this wrong?