Below is a sample of 2 messages that I receive and am trying to run through a GROK filter to capture the requested URL. I would like to discard everything starting with the ? until the next element which is the response code.
Without ? in URL path:
2016-14-12 14:45:33,655 [sdfsdfd] DEBUG were.were.werwer - Total TEST Time: 12591 for 1 total elements /teset/setset/setst/setwetghdfgh 200
With ? in URL path:
2016-14-12 14:45:33,655 [sdfsdfd] DEBUG were.were.werwer - Total TEST Time: 12591 for 1 total elements /teset/setset/setst/setwetg?hdfgh 200
Here is the GROK filter that I am trying to get to work:
.*Enrichment Time: %{NUMBER:enrich_time} for %{NUMBER:total_sel}.*selectors %{DATA:requesturl}.[^?]* %{NUMBER:statuscode}
This filter will work fine for the message with the ? in the URL path but returns the below for the message without the ?.
"enrich_time": [
"12591"
],
"total_sel": [
"1"
],
"requesturl": [
""
],
"statuscode": [
"200"
]
}```
I tried running the expression to look for either a ? or space but couldn't get the OR to work in the regex. Any suggestions?