Parse content type

Babak · February 16, 2019, 2:34pm

I'm parsing a log message with arbitrary fields. In my message we have field within two quotations in these two formats

"text/html"
"text/html; charset=UTF-8"

I can handle each one separately.
For first one I use "%{WORD:type}/%{DATA:subtype}" and for the second one I use "%{WORD:type}/%{DATA:subtype}; charset=%{DATA:encoding}" but how can I use grok to handle both type simultaneously?

Badger · February 16, 2019, 2:59pm

You could use

"%{WORD:type}/%{WORD:subtype}(; charset=%{GREEDYDATA:encoding})?"

Babak · February 17, 2019, 7:33am

Tnx.

system · March 17, 2019, 7:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash two different log types Logstash	8	912	June 26, 2018
Logstash Grok Issue with Multi-Line Events Logstash	4	905	April 29, 2019
Filter a field that has different formats Logstash	2	302	March 12, 2020
I cant parse with grok Logstash	3	333	December 27, 2016
Issue with Logstash Grok and special character in field Logstash	4	1434	January 19, 2018

Parse content type

Related topics