ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

LogAnalytics - apache_access logs, how to search on USERID field

book

Article ID: 145783

calendar_today

Updated On:

Products

CA App Experience Analytics

Issue/Introduction

Needs to be able to search on USERID field which is in the raw message.

10.138.104.72 - GRIVAS
[24/Jul/2019:14:28:26 +0200] - 80 - GET
/test/docs/img/sist_gest_talleres.gif HTTP/1.1 200 2356 http://test/ermpiescza/inicio.do?abc=2
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
.NET4.0C; .NET4.0E; Tablet PC 2.0)..

In this example the GRIVAS is the USERID and is how they get requests from the user community to search the logs.

Can the "auth" field be added to the log_parser.conf body text for apache_access logs ?

Environment

AXA 17.3.2

Resolution

Username i.e "GRIVAS" we are already parsing using pattern COMBINEDAPACHELOG_3 and coming into auth field. 

Add new filed in logparser.conf under apache_access section as below:

"username": "%{auth}"