My regex for the sample log line looks line this:
As you see, the endpoint section doesn’t match for “usr/admin/developer” although what I write in my regex. What is my mistake?
My regex for the sample log line looks line this:
You have an alternation of three patterns, followed by .*
The second of the three matched. There is nothing telling the regexp engine that it should prefer the longer third possible match.
If the endpoint is always followed by a space then why not precede the .* with a space to anchor the end of the endpoint pattern?
Another option might be /usr(/[a-z]+)? but I am not sure if that wants to be greedy.
Why don't you use the grok notation like HTTPD_COMMONLOG? Not just pure regex.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.