Parse content type

Babak · February 16, 2019, 2:34pm

I'm parsing a log message with arbitrary fields. In my message we have field within two quotations in these two formats

"text/html"
"text/html; charset=UTF-8"

I can handle each one separately.
For first one I use "%{WORD:type}/%{DATA:subtype}" and for the second one I use "%{WORD:type}/%{DATA:subtype}; charset=%{DATA:encoding}" but how can I use grok to handle both type simultaneously?

Badger · February 16, 2019, 2:59pm

You could use

"%{WORD:type}/%{WORD:subtype}(; charset=%{GREEDYDATA:encoding})?"

Babak · February 17, 2019, 7:33am

Tnx.

system · March 17, 2019, 7:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to parse a field which have multiple patterns? Logstash	3	406	March 18, 2017
How to use grok to filter some fields in message in logstash, skip the unnecessary, only filter the specified Logstash	6	3158	August 31, 2018
Logstash Multiple Grok Add Field Logstash	3	1009	August 24, 2018
Grok everything until a character and include that character in a field Logstash	2	5089	March 29, 2018
How to handle message with <F1>value</F1><F3>value</F3> Logstash	2	263	May 23, 2019

Parse content type

Related topics