This function extracts URI components from an input field and adds them as attributes to the event.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
defaultBase | string | optional[a] | A scheme and authority prefix or // , used as the base to resolve the input as a URI reference. Valid values are of the form // or scheme:// where scheme is a URI scheme . | |
field [b] | string | required | The name of the input field that contains the value to analyze. | |
prefix | string | optional[a] | input field name | An optional prefix for the field names for the components that are added to the event. It is an error to provide an empty prefix. |
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscaleparseUri("field")
and:
logscaleparseUri(field="field")
These examples show basic structure only.
This function is most useful for interpreting partial URIs like
www.example.com/path
: instead of requiring fully valid URIs,
parseUri()
accepts a "base" (for example,
defaultBase=http://
) used to
extract the hostname, port, path, query, and fragment parts.
if the input URI has no authority component, the event is left unchanged,
similar to the parseUrl()
behavior —
example.com
is interpreted as the scheme and it won't find a
hostname or path (because it is trying to interpret the input as a URI):
that's where providing the "base" can override such behavior.
If a base is used with a full URI, it is ignored; for example, consider this value in the url field:
ftp://example.com/path
The query:
parseUri(field="url", defaultBase="http://")
will extract url.scheme=ftp and not url.scheme=http.
See parseUri()
Examples for more examples.
This function is more lenient in what it considers a URI than the specification requires and matches mostly on the structure of the input (with some restrictions); this is by design to make the functionality useful in different contexts.
Note
This function does no normalization/decoding on the components (like percent-encoding or path normalization). This is intended to process the actual parts of the input as they were in the logs.
The fields added to the event are listed in table here below — they
are only added if the input can be parsed as a URI itself or resolved to a
URI reference by providing the
defaultBase
parameter. The
url.
prefix is replaced by the input field
name or the specified target field name.
Attribute | Description |
url.scheme | The scheme in input value, if found. Otherwise, the scheme found in the base, if a base argument is provided and has a scheme. |
url.hostname | The hostname, if found. |
url.username | The username, if found |
url.password | The password, if found. |
url.port | The port in the authority, if found. |
url.path | The path, if found in the input. It can be empty. |
url.query | The query component, if found in the input. |
url.fragment | The fragment component, if found in the input. |
Unless noted otherwise, the field for a component is not added if the component is not present in the input value.
Values are provided as found in the input, for example, without normalization (does not apply to scheme and port, which can't be normalized).
parseUri()
Examples
Input:
HTMLexample.com:8080/foo
Query:
logscaleparseUri(field="url", defaultBase="http://")
Output:
host=example.com path=/foo port=8080 scheme=http
Input:
HTMLexample.com:8080/foo
Query:
logscaleparseUri(field="url")
Output:
scheme=example.com path=8080/foo
Input:
HTMLftp://example.com:8080/foo
Query:
logscaleparseUri(field="url", defaultBase="http://")
Output:
host=example.com path=/foo port=8080 scheme=ftp