If field contains question mark

KevSex · April 26, 2018, 8:23am

Hi,

I'm trying to filter out some URLs to split up the uri stem and query.

I've got the following pattern match which works when there is a questionmark to separate them both.

filter {
  grok {
    patterns_dir => "/etc/logstash/patterns"
    match => ["http_request", "%{GREEDYDATA:uri_stem}\?%{GREEDYDATA:uri_query}"]
   }
}

The problem I'm facing is that when the URL doesn't have any variables (and therefore no questionmark in the URL), I get a _grokparsefailure.

I was trying to carry out an if statement to combat this as below:

if [http_request] =~ "?" {
  grok {
  ...
  }
}

However I'm still getting a parse failure.

Is there anything special that needs to be done to correctly identify a questionmark in a field.

p.s I've also tried "\\?" (double backslash) which doesn't work either

Any help would be appreciated.

Cheers,

KevSex · April 26, 2018, 8:51am

Turns out it only required one backslash

if [http_request] =~ "\?" {
 ...
}

Jenni · April 26, 2018, 8:51am

Usually I would tell you to put ()? around the optional part. But that doesn't seem to work with GREEDYDATA. So you'll probably have to add a second pattern in the array.

grok { match => { "http_request" => [ "%{GREEDYDATA:uri_stem}?%{GREEDYDATA:uri_query}", "%{GREEDYDATA:uri_stem}" ] } }

Christian_Dahlqvist · April 26, 2018, 9:00am

You should really never use more than one GREEDYDATA pattern in any grok expression. Doing so is inefficient and error prone. Always try to use the most precise pattern possible, e.g. WORD, NOTSPACE, NUMBER, IP etc.

system · May 24, 2018, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.