How to define custom grock to get only 3 levels deep url

(Prateek Gokhale) #1

Hello I am new to the grocks . I am using a
%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}

pattern for my nginx log lines: - - [09/Jan/2018:09:16:12 +0000] "GET /a/b/c/poll/c? HTTP/1.1" 499 0 "" "ServiceHost/cc557714" 29.585 - .

Now i am trying to use a custom grock pattern to only get /a/b/c for my request symantics.

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} (?<TEST_PATTERN> ^./\s)(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}

However i keep on getting null for the request.

Can we have a regex to only get 2 or 3 level deep urls from a nginx logs, before passing them on
(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.