Fix url scheme grok pattern

bhapas · bhapas · commit 962c79b7bb7b · 2023-06-13T08:50:22.000+02:00
diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc
@@ -82,6 +82,7 @@ The list below covers the major changes between 7.0.0-rc2 and main only.
 - Fix the ingest pipeline for mysql slowlog to parse schema name with dash {pull}34371[34372]
 - Fix the multiple host support for mongodb module {pull}34624[34624]
 - Skip HTTPJSON flakey test. {issue}34929[34929] {pull}35138[35138]
+- Fix ingest pipeline for panw module to parse url scheme correctly {pull}35138[35138]
 
 ==== Added
 
@@ -101,7 +102,7 @@ The list below covers the major changes between 7.0.0-rc2 and main only.
 - Only Load minimal template if no fields are provided. {pull}12103[12103]
 - Add new option `IgnoreAllErrors` to `libbeat.common.schema` for skipping fields that failed while converting. {pull}12089[12089]
 - Deprecate setup cmds for `template` and `ilm-policy`. Add new setup cmd for `index-management`. {pull}12132[12132]
-- Use the go-lookslike library for testing in heartbeat. Eventually the mapval package will be replaced with it. {pull}12540[12540]
+- Use the go-lookslike library for testing in heartbeat. Eventually the mapval package will be replaced with it. {pull}12540[125πtt40]
 - New ReporterV2 interfaces that can receive a context on `Fetch(ctx, reporter)`, or `Run(ctx, reporter)`. {pull}11981[11981]
 - Generate configuration from `mage` for all Beats. {pull}12618[12618]
 - Add ClientFactory to TCP input source to add SplitFunc/NetworkFuncs per client. {pull}8543[8543]
diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log
@@ -98,3 +98,4 @@ Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,81.2.69.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
 Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,81.2.69.143,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,
+Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,67.43.156.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"www.sportspar.de/widgets/index/refreshStatistic?requestPage=/&requestController=index&referer=https://www.google.com/" will be parsed in url.domain: "www.google.com",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html
