Hello.
I hope for your help.
I need to parse the nginx-error-log, but the problem is that this or that group in the log may be absent and then no match occurs.
Here's an example.
2020/08/11 14:16:35 [warn] 230521#230521: *573543 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000020676, client: 172.31.41.113, server: _, request: "POST /taps/api/v1/notification/1151020/2018/submit HTTP/1.1", host: "lc.com", referrer: "http://lc/FL?cardId=902713&step=deductionSelector"
Pattern
(?%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) [%{LOGLEVEL:severity}] %{NUMBER:pid}#%{NUMBER:threadid}: *%{NUMBER:connectionid} %{DATA:errormessage}, client: %{IP:client}, server: %{DATA:server}, request: "%{DATA:verb} %{DATA:request} %{DATA:httpversion}", upstream: "%{DATA:upstream}", host: "%{DATA:host}", referrer: "%{DATA:referrer}"
you can see that the log is missing a group for ", upstream: "%{DATA:upstream}""
also noticed that the log may be missing, for example, records about other groups.
How to select these groups so that they are ignored if absent, but correctly parsed if present?
I tried this approach but it doesn't seem to work in values null
(?%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) [%{LOGLEVEL:severity}] %{NUMBER:pid}#%{NUMBER:threadid}: *%{NUMBER:connectionid} %{DATA:errormessage}, client: %{IP:client}, server: %{DATA:server}, request: "%{DATA:verb} %{DATA:request}(?: %{DATA:httpversion}")?(?:, upstream: "%{DATA:upstream}")?(?:, host: "%{DATA:host}")?(?:, referrer: "%{DATA:referrer}")?
http://grokdebug.herokuapp.com/
{
"timestamp": [
[
"2020/08/11 14:16:35"
]
],
"YEAR": [
[
"2020"
]
],
"MONTHNUM": [
[
"08"
]
],
"MONTHDAY": [
[
"11"
]
],
"TIME": [
[
"14:16:35"
]
],
"HOUR": [
[
"14"
]
],
"MINUTE": [
[
"16"
]
],
"SECOND": [
[
"35"
]
],
"severity": [
[
"warn"
]
],
"pid": [
[
"230521"
]
],
"BASE10NUM": [
[
"230521",
"230521",
"573543"
]
],
"threadid": [
[
"230521"
]
],
"connectionid": [
[
"573543"
]
],
"errormessage": [
[
"a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000020676"
]
],
"client": [
[
"172.31.41.113"
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
"172.31.41.113"
]
],
"server": [
[
"_"
]
],
"verb": [
[
"POST"
]
],
"request": [
[
""
]
],
"httpversion": [
[
null
]
],
"upstream": [
[
null
]
],
"host": [
[
null
]
],
"referrer": [
[
null
]
]
}
Maybe you tell me a universal pattern for nginx-error log?