Grok regular expression doesn't contain a word not working

I have the following log：
8.8.8.8 - localhost [24/Dec/2018:02:53:15 +0800] "GET /test/ui/favicons/favicon.ico HTTP/1.1" 304 0 "https://www.google.com.tw/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"

The current pattern is as follows：
%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} [%{HTTPDATE:[nginx][access][time]}] "%{WORD:[nginx][access][method]} %{MONI_NOT} HTTP/%{NUMBER:[nginx][access][http_version]}" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} "%{DATA:[nginx][access][referrer]}" "%{DATA:[nginx][access][agent]}"

MONI_NOT ^((?!monitor).)*$

In the grok debugger can not match to...it's not working, as shown below：

The other part is removed, it can match：

I hope that as long as the string that does not contain "monitor" is matched to
I am sure this regular expression can work：

螢幕快照 2018-12-25 上午1.25.33.png2216×622 96.4 KB

Your MONI_NOT pattern starts with the beginning-of-line anchor (^), which means that it will never succeed when preceeded by anything other than the beginning of a line.

I would like to ask how can I change MONI_NOT pattern ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.