I'm parsing a log message with arbitrary fields. In my message we have field within two quotations in these two formats
"text/html"
"text/html; charset=UTF-8"
I can handle each one separately.
For first one I use "%{WORD:type}/%{DATA:subtype}" and for the second one I use "%{WORD:type}/%{DATA:subtype}; charset=%{DATA:encoding}" but how can I use grok to handle both type simultaneously?
You could use
"%{WORD:type}/%{WORD:subtype}(; charset=%{GREEDYDATA:encoding})?"Tnx.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.