LogAnalytics - apache_access logs, how to search on USERID field
Article ID: 145783
Updated On:
Products
CA App Experience Analytics
Issue/Introduction
Needs to be able to search on USERID field which is in the raw message.
10.138.104.72 - GRIVAS
[24/Jul/2019:14:28:26 +0200] - 80 - GET
/test/docs/img/sist_gest_talleres.gif HTTP/1.1 200 2356 http://test/ermpiescza/inicio.do?abc=2
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
.NET4.0C; .NET4.0E; Tablet PC 2.0)..
In this example the GRIVAS is the USERID and is how they get requests from the user community to search the logs.
Can the "auth" field be added to the log_parser.conf body text for apache_access logs ?
10.138.104.72 - GRIVAS
[24/Jul/2019:14:28:26 +0200] - 80 - GET
/test/docs/img/sist_gest_talleres.gif HTTP/1.1 200 2356 http://test/ermpiescza/inicio.do?abc=2
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
.NET4.0C; .NET4.0E; Tablet PC 2.0)..
In this example the GRIVAS is the USERID and is how they get requests from the user community to search the logs.
Can the "auth" field be added to the log_parser.conf body text for apache_access logs ?
Environment
AXA 17.3.2
Resolution
Username i.e "GRIVAS" we are already parsing using pattern COMBINEDAPACHELOG_3 and coming into auth field.
Add new filed in logparser.conf under apache_access section as below:
"username": "%{auth}"
Add new filed in logparser.conf under apache_access section as below:
"username": "%{auth}"
Feedback
Yes
No
Powered by
