• Eventually, I found this pipeline to be correct:

    {
      "description": "Pipeline for parsing PHP-FPM log",
      "processors": [
        {
          "grok": {
            "pattern_definitions": {
              "PHP_DATE": "%{MONTHDAY}[\/-]%{MONTH}[\/-]%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND}"
            },
            "ignore_missing": true,
            "field": "message",
            "patterns": [
              "\\[%{PHP_DATE:php.time}\\] %{LOGLEVEL:log.level}: %{GREEDYDATA:message}"
            ]
          }
        },
        {
          "rename": {
            "field": "@timestamp",
            "target_field": "event.created"
          }
        },
        {
          "date": {
            "field": "php.time",
            "target_field": "@timestamp",
            "formats": [
              "dd-MMM-yyyy H:m:s"
            ],
            "timezone":"{{event.timezone}}",
            "on_failure": [
              {
                "append": {
                  "field": "error.message",
                  "value": "{{ _ingest.on_failure_message }}"
                }
              }
            ]
          }
        },
        {
          "remove": {
            "field": "php.time",
            "ignore_failure": true
          }
        },
        {
          "grok": {
            "pattern_definitions": {
              "PHP_ROOT_PREFIX": "\\\/var\\\/www\\\/",
              "REQUEST_PREFIX": "\\(request:\\ \\\""
            },
            "ignore_missing": true,
            "ignore_failure": true,
            "field": "message",
            "patterns": [
              "%{PHP_ROOT_PREFIX}%{HOSTNAME:url.domain}.*%{REQUEST_PREFIX}%{WORD:http.request.method} %{URIPATH:url.original}"
            ]
          }
        },
        {
          "grok": {
            "pattern_definitions": {
              "TIME_PREFIX": "too\\ slow\\ \\("
            },
            "ignore_missing": true,
            "ignore_failure": true,
            "field": "message",
            "patterns": [
              "%{TIME_PREFIX}.*%{BASE10NUM:php.duration:float}"
            ]
          }
        },
        {
          "urldecode" : {
            "field": "message",
            "target_field":"message",
            "ignore_missing": true
          }
        }
      ],
      "on_failure": [
        {
          "set": {
            "field": "error.message",
            "value": "{{ _ingest.on_failure_message }}"
          }
        }
      ]
    }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment