Issue with regular expression

My regex for the sample log line looks line this:


As you see, the endpoint section doesn’t match for “usr/admin/developer” although what I write in my regex. What is my mistake?

You have an alternation of three patterns, followed by .*

The second of the three matched. There is nothing telling the regexp engine that it should prefer the longer third possible match.

If the endpoint is always followed by a space then why not precede the .* with a space to anchor the end of the endpoint pattern?

Another option might be /usr(/[a-z]+)? but I am not sure if that wants to be greedy.

Why don't you use the grok notation like HTTPD_COMMONLOG? Not just pure regex.