It is not that grok that is failing.
I've tried this grok filter for api messages:
match => { "resource" => "(/[^\/]+)?/[^/]+/(?<repo>[^/]+)(/%{GREEDYDATA:resource_path})?" }
Test messages:
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test|HTTP/1.1|200|452
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test/|HTTP/1.1|200|452
For these messages the repo is getting parsed as "test" rather than empty value or empty string.
but for messages
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test/Lighter-test-group|HTTP/1.1|200|452
20190815175019|9599|REQUEST|14.56.55.120|anonymous|POST|/api/test/Lighter-test-group/2.0|HTTP/1.1|200|452
repo values are getting parsed as "Lighter-test-group" which is the right value.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.