If field contains question mark


I'm trying to filter out some URLs to split up the uri stem and query.

I've got the following pattern match which works when there is a questionmark to separate them both.

filter {
  grok {
    patterns_dir => "/etc/logstash/patterns"
    match => ["http_request", "%{GREEDYDATA:uri_stem}\?%{GREEDYDATA:uri_query}"]

The problem I'm facing is that when the URL doesn't have any variables (and therefore no questionmark in the URL), I get a _grokparsefailure.

I was trying to carry out an if statement to combat this as below:

if [http_request] =~ "?" {
  grok {

However I'm still getting a parse failure.

Is there anything special that needs to be done to correctly identify a questionmark in a field.

p.s I've also tried "\\?" (double backslash) which doesn't work either

Any help would be appreciated.


Turns out it only required one backslash

if [http_request] =~ "\?" {

Usually I would tell you to put ()? around the optional part. But that doesn't seem to work with GREEDYDATA. So you'll probably have to add a second pattern in the array.

grok { match => { "http_request" => [ "%{GREEDYDATA:uri_stem}?%{GREEDYDATA:uri_query}", "%{GREEDYDATA:uri_stem}" ] } }

1 Like

You should really never use more than one GREEDYDATA pattern in any grok expression. Doing so is inefficient and error prone. Always try to use the most precise pattern possible, e.g. WORD, NOTSPACE, NUMBER, IP etc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.