Hi,
I'm trying to bruild a grok pattern for a "Quoted String", in particular this is for the request portion of the AWS ELB logs.
The problem I'm encountering, and cant seem to figure a way around is that the same portion of the log can look like this:
"GET http://www.example.com:443/ HTTP/1.1"
or this:
"- - - "
The best I've gotten is this:
\"(?:%{NOTSPACE:http_method}|-) (?:%{NOTSPACE:http_path}|-) (?:%{NOTSPACE:http_statement|-}/)(?:%{NOTSPACE:http_version|})\"
The above statement works for scenario 1 but not scenario 2 (where all dashes "- - - " are present).
Also, there appears to be a trailing space after the last dash, before the ending quotation, I'm not sure if this matters but I've been truing to work it into my pattern also.
I'm trying to break it up so that I have http_method, http_path, http_statement and http_version.
The whole log can look like this:
2015-05-13T23:39:43.945958Z my-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000086 0.001048 0.001337 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.38.0" DHE-RSA-AES128-SHA TLSv1.2
or like this:
2015-05-13T23:39:43.945958Z my-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.001069 0.000028 0.000041 - - 82 305 "- - - " "-" - -
Its just the request Quoted string part I'm having trouble with.
can anyone help? Perhaps @magnusbaeck is nearby and could hear my plead for help? 