Hi,
I'm trying to parse a log which will insert a hyphen for some fields when there is no value:
Is there an easy way with grok to treat the hyphen as if the value is absent? i.e. not add the hyphen as a value, but continue to parse the rest of the values correctly?
2 Example lines from log:
2017-11-01 12:03:47 - - - "-" 10.0.0.100 "-" - "-" - "VS: name"
2017-11-01 12:44:01 10.0.0.1 "/file.cfc?test=thing" 192.168.1.1:80 192.168.1.1:80 "P: pool1" 10.0.0.100 "thing1=24; thing2=5;" 200 "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" 2 "VS: name"
Current filter:
%{TIMESTAMP_ISO8601:log_timestamp} %{DATA:TrueClientIP} (%{DATA:RequestPath})? %{DATA:Node} %{DATA:RequiredNode} %{QUOTEDSTRING:Pool} %{IPV4:RequestIP} %{QUOTEDSTRING:Cookie} %{DATA:StatusCode} %{QUOTEDSTRING:UserAgent} %{DATA:Hops} %{QUOTEDSTRING:VirtualServer}
I am very new to grok and appreciate my filter is probably wrong in many ways and I welcome any constructive criticism.
Thanks,
Ewan.