We are facing an issue while filtering nginx error log format ... suppose below are two log snippet from the error log
-
2020/11/17 13:04:05 [error] 32237#32237: *4185303 open() "/etc/nginx/html/favicon.ico" failed (2: No such file or directory), client: 122.180.250.38, server: 10.222.10.20, request: "GET /favicon.ico HTTP/1.1", host: "niku.vinsupplier.com", referrer: "https://niku.vinsupplier.com/eRetailWeb/SellerPanelBS.action"
-
2020/11/17 13:04:05 [error] 32237#32237: *4185303 open() "/etc/nginx/html/favicon.ico" failed (2: No such file or directory), client: 122.180.250.38, server: 10.222.10.20, request: "GET /favicon.ico HTTP/1.1", host: "niku.vinsupplier.com"
And below is the grok pattern
(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{DATA:errormessage}, client: %{IP:client}, server: %{IP:server}, request: \"(?<httprequest>%{WORD:httpcommand} %{UNIXPATH:httpfile} HTTP/(?<httpversion>[0-9.]*))\", host: \"%{DATA:host}\", referrer: \"%{DATA:referrer}\"
So this grok pattern fails if any entry comes with 2nd type of snippet i.e. if the referrer part is missing. We want to make it robust so that in case the referrer part is missing it should treat it as null instead of error out. Please help to achieve a proper grok pattern for this requirement?