All,
I'm new with Logstash so forgive me for this basic question. I'm trying to create a GROK filter to parse the following log lines.
GET /rest/api/latest/user/search?username=xxxxxx&etag=331231 HTTP/1.1
GET /status HTTP/1.1
I'm trying to break string /rest/api/latest/user/search?username=1565349 where string after '?' is optional.
Here is the best I can do which match the first string but not on the second
grok {
match => {"message" => "%{WORD:method} %{NOTSPACE:req_url}\?%{NOTSPACE:req_param} %{NOTSPACE:protocol}
}
Also, how to filter out "&etag=......." part from the logstash?
Any help is greatly appreciated.