Nested grok

Hi. I'm trying to make a 'dynamic' parsing of a URL by this grok pipeline.
eee

if [container][image][name] =~ /nginx/ {
grok{
 match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access] 
[user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} % 
{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER: 
[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA: 
[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
  remove_field => "message"
   if [nginx][access][url] != "/" { match => { "nginx.access.url" => ["%{GREEDYDATA:uri_stem}\?% 
{GREEDYDATA:uri_query}"] } }
}
}

For some reason, it doesn't work and I don't know why. Help me, please. The condition in the grok is because a URL with / only won't display.

That should be

if [nginx][access][url] != "/" { match => { "[nginx][access][url]" => ...

Didn't help. Perhaps my 'if' isn't correct?

You cannot make the match conditional, the entire filter has to be conditional, so

if [nginx][access][url] != "/" {
    grok { match => { "[nginx][access][url]" => ...
}
  if [nginx][access][url] != '/' {
       grok { { match => { "[nginx][access][url]" => ["%{GREEDYDATA:[nginx][access][uri][type]}/% 
  {GREEDYDATA:[nginx][access][uri][query]}"] } } }

That didn't work too. What am I missing?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.