I have this UA in a log file
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2267.0 Safari/537.36
Now all I really want is to grab things like Windows NT 6.1 (i.e. win7) and WOW64 i.e. 64 bit system.
My current grok filter parses all the things out and then runs a remove field afterwards to discard the unwanted things. Is there an easier/cleaner way?
Use the useragent filter to parse such fields.
filter {
useragent {
source => "field-with-useragent"
}
}
It won't extract the WOW64 string, though, but I doubt it's very useful anyway (and I'm sure not all browsers provide it). That said, you could look for that string yourself with a conditional:
if [field-with-useragent] =~ /\bWOW64\b/ {
mutate {
add_tag => ["64bit"]
}
}