Page 3 of 3
Re: Logserver Alerts below threshold not working
Posted: Mon Sep 21, 2015 12:23 pm
by weveland
So for the apache log captures I should just use.
%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response_code} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}
Or should I just change my other filter to not use response?
Re: Logserver Alerts below threshold not working
Posted: Mon Sep 21, 2015 12:28 pm
by weveland
Perfect I love when my answers are more deterministic!
I do have one more issue that I thought was related to this initially but it appears is not now. I will open it up in a separate post if that's ok with you?
Re: Logserver Alerts below threshold not working
Posted: Mon Sep 21, 2015 12:39 pm
by jolson
To make certain that it's assigned as an integer, you can tell the field which type to use by appending ':int' to any grok filter. For example:
This will ensure that the match for 'response_code' will always be assigned the 'integer' type. That is what I recommend doing - best practice would be calling it something specific like 'apache_response'.
No problem - go ahead and open up another post.
