For ELB logs, user wants to have the extra fields, that is part of the version 2 definition, also to be parsed and extracted.
"target:port_list"
"target_status_code_list"
"classification"
"classification_reason"
At the moment, these fields do not appear in the GROK patterns:
# HTTP from Application Load Balancers (v2 Load Balancers)
- >-
%{ELBV2TYPE}
%{ELBHTTPLOG}
%{NOTSPACE:aws.elb.target_group.arn}
\"%{DATA:aws.elb.trace_id}\"
\"(?:-|%{DATA:destination.domain})\"
\"(?:-|%{DATA:aws.elb.chosen_cert.arn})\"
(?:-1|%{NUMBER:aws.elb.matched_rule_priority})
%{TIMESTAMP_ISO8601:event.start}
\"(?:-|%{DATA:_tmp.actions_executed})\"
\"(?:-|%{DATA:aws.elb.redirect_url})\"
\"(?:-|%{DATA:aws.elb.error.reason})\"
For ELB logs, user wants to have the extra fields, that is part of the version 2 definition, also to be parsed and extracted.
At the moment, these fields do not appear in the GROK patterns: