My regex for the sample log line looks line this:
As you see, the endpoint section doesn’t match for “usr/admin/developer” although what I write in my regex. What is my mistake?
As you see, the endpoint section doesn’t match for “usr/admin/developer” although what I write in my regex. What is my mistake?
You have an alternation of three patterns, followed by .*
The second of the three matched. There is nothing telling the regexp engine that it should prefer the longer third possible match.
If the endpoint is always followed by a space then why not precede the .* with a space to anchor the end of the endpoint pattern?
Another option might be /usr(/[a-z]+)? but I am not sure if that wants to be greedy.
Why don't you use the grok notation like HTTPD_COMMONLOG? Not just pure regex.