Conditional Grok Pattern

AkilaSachin · July 9, 2019, 9:58am

Hi all,

172.26.76.68 - - [05/Jul/2019:08:52:55 +0530] GET /keyword1/rest/keyword2/keyword3/ keyword4/keyword5?moNo=123456 HTTP/1.1 200 40 7
172.26.76.69 - - [05/Jul/2019:08:52:53 +0530] GET /keyword1/keyword2/ 123456789/USD_123/xyz HTTP/1.1 200 1250 15
172.26.76.69 - - [05/Jul/2019:08:52:48 +0530] POST /keyword1/keyword2 HTTP/1.1 200 714 41

I need to get 2 and 3 logs files highlighted keywords as single variable. (first two words in URIPATH)
And if second word is equal to 'rest' word then get four words from URIPATH as single variable.
Ex: 1. API: {/keyword1/rest/keyword2/keyword3/}
2. API: {/keyword1/keyword2}
3. API: {/keyword1keyword2}

I created grok pattern to fullfill 2 and 3 log file requirement. But unable to match 1st type of logs.

%{IPORHOST:clientip}%{GREEDYDATA:junk}] (?:%{WORD:verb} (?/%{WORD}/%{WORD})%{GREEDYDATA:junk}) %{NUMBER:response} %{NUMBER:bytes} (?:%{NUMBER:time}|-)

Please kindly assist.

Badger · July 9, 2019, 12:57pm

For both you log file entries and your configuration you need to format them to avoid some characters being interpreted as markdown (note that you have some words in bold due to this). In the edit pane select the entries and click on </> in the toolbar above the edit pane, verify in the preview pane that the select text is now block quoted

Like this

Do the same for the configuration.

system · August 6, 2019, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.