Wondering if I should be applying a (?=subexp) look-ahead match rule but I haven't been able to do so successfully,
Basically I need to do a grok match against a.b.c/1/2/A/IN or a.b/1/AA/IN where the setup is something as follows,
grok{
match => {
message => "([\S]+)/(? lt var rt [A-Z]+)/IN"
}
I'm attempting to capture whatever is near the ending before /IN , though "/IN" may be something else.
thanks
What are you saying, that you want to capture the last path component before the final /IN, but that /IN can be anything so you're really looking for the second-last path component? Or everything except the last one?
that's correct I have string/capture/string - the first string can contain any number of slashes, but the capture would always be the second-last part
An expression like
/(?<capture>[^/]+)/[^/]+$
should work fine here.
I sort of simplified the problem so as to make it easy and your solution is correct, but here again my mistake for not mentioning the whole pattern..
it's pretty much the same given string but instead in the middle of a larger string where the general format is something like > "a b c 'a.com/1/2/A/IN' x"
here the actual message is,
"client 1.1.1.1#40162 (a.com): query (cache) 'a.com/A/IN' denied\n"
"message"=> "client %{HOSTNAME:dcip}#([0-9]+) ?(%{HOSTNAME:qry}): ([\S]+) (([\S]+)) (?ltcapturert[\S]+) (?ltbindmsgrt[\S]+)\n"
Here grok passes successfully, and so I just need to focus on the same example 'a.com/1/2/A/IN' (adding single quotes) but instead I'm trying to have it in a larger string.
thanks
In that case something like
/(?<capture>[^/]+)/[^']+'
should work.
Hint: Format regular expressions as code. Then your angle brackets in your text won't disappear when your text is rendered as Markdown.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.