Using expression in Elastic search

bismayam · February 26, 2018, 4:31am

We have logs like below.

2018-02-24 18:24:21 GET /test/customer/api/abc/getCustomer
2018-02-24 18:24:21 GET /test/customer/10000
2018-02-24 18:24:21 GET /test/customer/10000/updateCustomer

We are trying to parse apiname as last word and excluding numerical values by reg exp like below. Because we don't want customer id 10000 should come as apiname.

%{GREEDYDATA}/(?[^//][a-zA-Z^]*$+)

If we are testing this expression then it is working fine. But once we configure this in beats.conf it failed to parse log line 2. We tried to remove failed parse result by below. But we only see parsed result for only line 1. Not line 3.

if "_grokparsefailure" in [tags] {
drop { }
}

Could you please help here.

bismayam · February 26, 2018, 8:23am

Hi,

After checking we found that %{GREEDYDATA}/(?[^//][a-zA-Z^\s]*$+) is working fine. But in our log we have response code like below.

2018-02-24 18:24:21 GET /test/customer/10000 200

How can we append another field in that expression. We tried below but not working.
%{GREEDYDATA}/(?[^/][a-zA-Z^\s]+) %{SPACE}%{NUMBER:responseCode}

system · March 26, 2018, 8:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.