This function extracts URI components from an input field and adds them as attributes to the event.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
defaultBase | string | optional[a] | A scheme and authority prefix or // , used as the base to resolve the input as a URI reference. Valid values are of the form // or scheme:// where scheme is a URI scheme . | |
field [b] | string | required | The name of the input field that contains the value to analyze. | |
prefix | string | optional[a] | input field name | An optional prefix for the field names for the components that are added to the event. It is an error to provide an empty prefix. |
[a] Optional parameters use their default value unless explicitly set. |
This function is most useful for interpreting partial URIs like
www.example.com/path
: instead of requiring fully
valid URIs, parseUri()
accepts a "base"
(for example,
defaultBase=http://
)
used to extract the hostname, port, path, query, and fragment
parts.
if the input URI has no authority component, the event is left
unchanged, similar to the parseUrl()
behavior — example.com
is interpreted as the
scheme and it won't find a hostname or path (because it is
trying to interpret the input as a URI): that's where providing
the "base" can override such behavior.
If a base is used with a full URI, it is ignored; for example, consider this value in the url field:
ftp://example.com/path
The query:
parseUri(field="url", defaultBase="http://")
will extract url.scheme=ftp and not url.scheme=http.
See parseUri()
Examples for more
examples.
This function is more lenient in what it considers a URI than the specification requires and matches mostly on the structure of the input (with some restrictions); this is by design to make the functionality useful in different contexts.
Note
This function does no normalization/decoding on the components (like percent-encoding or path normalization). This is intended to process the actual parts of the input as they were in the logs.
The fields added to the event are listed in table here below
— they are only added if the input can be parsed as a URI
itself or resolved to a URI reference by providing the
defaultBase
parameter. The url.
prefix is
replaced by the input field name or the specified target field
name.
Attribute | Description |
url.scheme | The scheme in input value, if found. Otherwise, the scheme found in the base, if a base argument is provided and has a scheme. |
url.hostname | The hostname, if found. |
url.username | The username, if found |
url.password | The password, if found. |
url.port | The port in the authority, if found. |
url.path | The path, if found in the input. It can be empty. |
url.query | The query component, if found in the input. |
url.fragment | The fragment component, if found in the input. |
Unless noted otherwise, the field for a component is not added if the component is not present in the input value.
Values are provided as found in the input, for example, without normalization (does not apply to scheme and port, which can't be normalized).
parseUri()
Examples
Input:
HTMLexample.com:8080/foo
Query:
logscaleparseUri(field="url", defaultBase="http://")
Output:
host=example.com path=/foo port=8080 scheme=http
Input:
HTMLexample.com:8080/foo
Query:
logscaleparseUri(field="url")
Output:
scheme=example.com path=8080/foo
Input:
HTMLftp://example.com:8080/foo
Query:
logscaleparseUri(field="url", defaultBase="http://")
Output:
host=example.com path=/foo port=8080 scheme=ftp