How not to output a matching field in grok pattern?

Tristan_D · August 18, 2020, 1:50pm

I don't want the mathed http_version field in the output. How should I to do avoid it?
I can't remove it with the non-caputering group symbol.

This is my nginx log
10.102.136.44 - - [26/Nov/2019:19:49:36 +0800] "POST /recognize/task_timer HTTP/1.1" 200

The grok pattern
%{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[%{HTTPDATE:timelocal}\] "%{WORD:request_method} %{DATA:request} (?:%{DATA:http_version})"

Here is the result of Grok Debugger

{
  "remote_addr": [
    "10.102.136.44"
  ],
  "remote_user": [
    "-"
  ],
  "timelocal": [
    "26/Nov/2019:19:49:36 +0800"
  ],
  "request_method": [
    "POST"
  ],
  "request": [
    "/recognize/task_timer"
  ],
  "http_version": [
    "HTTP/1.1"
  ]
}

Jenni · August 18, 2020, 2:05pm

If you don't name the field, it won't be there (– just %{DATA}).

Tristan_D · August 19, 2020, 1:25am

Thank you for your replying. It solved my problem.

system · September 16, 2020, 1:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.