Grok regular expression doesn't contain a word not working

I have the following log: - localhost [24/Dec/2018:02:53:15 +0800] "GET /test/ui/favicons/favicon.ico HTTP/1.1" 304 0 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"

The current pattern is as follows:
%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} [%{HTTPDATE:[nginx][access][time]}] "%{WORD:[nginx][access][method]} %{MONI_NOT} HTTP/%{NUMBER:[nginx][access][http_version]}" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} "%{DATA:[nginx][access][referrer]}" "%{DATA:[nginx][access][agent]}"

MONI_NOT ^((?!monitor).)*$

In the grok debugger can not match's not working, as shown below:

The other part is removed, it can match:

I hope that as long as the string that does not contain "monitor" is matched to
I am sure this regular expression can work:

Your MONI_NOT pattern starts with the beginning-of-line anchor (^), which means that it will never succeed when preceeded by anything other than the beginning of a line.

I would like to ask how can I change MONI_NOT pattern ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.