Trying to update the default pipeline that parses access log files from nginx in order to manage upstream_response time. This pipeline is installed by Filebeat Nginx module.
As you can check, I added extra field at the end of grok pattern:
%{NUMBER:nginx.access.upstream_response_time}
"grok" : {
"patterns" : [
"%?{IP_LIST:nginx.access.remote_ip_list} - %{DATA:nginx.access.user_name} \\[%{HTTPDATE:nginx.access.time}\\] \"%{GREEDYDATA:nginx.access.info}\" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} \"%{DATA:nginx.access.referrer}\" \"%{DATA:nginx.access.agent}\" %{NUMBER:nginx.access.upstream_response_time}"
],
When updating the pipeline via curl command line, I get the error :
"target of repeat operator is not specified"
The pb is actualy the leading '?' in grok pattern "%?{IP_LIST:nginx.acce.......
Does anyone know the reason why we have this leading '?' ... it does not look like the optional field syntax in grok (%{....}?)
Many thanks for your support