Grok filter for url in squid log

Elastic Stack Logstash
1

My current config is,
grok {
match => {
"message" => "%{WORD:month}\s*%{INT:day} %{INT:tmp1}:%{INT:tmp2}:%{INT:tmp3} %{USERNAME:proxy_server} %{WORD:squidnm}[%{INT:proxy_port}]:\s*%{POSINT:timestamp}.%{WORD:timestamp_ms}\s+%{NUMBER:response_time} %{IPORHOST:client_ip} %{WORD:result_code}/%{NUMBER:http_resp_code} %{NUMBER:resp_len} %{WORD:request_method} %{URIPROTO:uri_proto}://(?:%{USER:user}(?::[^@]*)?@)?(?:%{URIHOST:uri_host})?(?:%{URIPATHPARAM:uri_param})? %{NOTSPACE:client_id} %{WORD:gateway_name}/%{USERNAME:proxy_req_server} %{NOTSPACE:content_type}"
}
}

In the URL part sometimes URI appears and sometimes IP:PORT appears like,

DEC 1 00:00:00 XX ssss[1111]: 1414780200.001 59144 XX.XX.XX.XX TCP_MISS/503 0 CONNECT 192.168.0.1:8888 - HIER_NONE/- -

DEC 1 00:00:00 XX ssss[1111]: 1414780200.002 59712 XX.XX.XX.XX TCP_MISS/503 4072 GET http://abc.cd.net/handlers?dsc=sadas&Ddc 123456 HIER_DIRECT/abc.cd.net text/html

How to deal with this?
Please help me in this.
Thanks.

2

That 's a pretty crazy grok pattern! Why not use something like;
"(?<date>%{WORD} %{INT}) %{NOTSPACE:tmpints} %{USERNAME:proxy_server} %{WORD:squidnm}\[%{INT:proxy_port}\]:%{SPACE}%{NOTSPACE:time}%{SPACE}..." and so on.

3

Do you want to capture URLs and ip:port strings into different fields? If not just use a NOTSPACE patterns that matches both kinds. If yes, use an alternative match: (%{URIPROTO:...|%{IP:...}:%{INT:...}).

4

thanks a lot