grok - how to get a URIPATHPARAM?

Question

According to the logstash / grok documentation, a URI can be found with the following match pattern

#Example log file 

55.3.244.1 GET /index.html 15824 0.043


#Example Grok match pattern
%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}

I'm trying to get a URI that is encapsulated in double quotes, and according to grokdebug.herokuap.com, this is invalid.

#My log file
Started POST "/main/builder.git/git-upload-pack" for 127.0.0.1 at 2014-02-13 22:37:10 +0000

#My grok match patterns
%{WORD:started} %{WORD:method} %{URIPATHPARAM:gitrepo}

# 0 results

How can I find a match pattern for a quoted URI ?

Answer 1

Try using http://grokdebug.herokuapp.com/discover for discovering the filters for your strings. This app is very useful especially when using and testing the long and dynamic log messages.

Also consider using http://grokdebug.herokuapp.com/ for testing you patters with set of other strings.

Answer 2

It appears that the quoted string needs quotes in the grok match pattern. Here is the solution that appears to mostly work.

%{WORD:started } %{WORD:method} "%{URIPATH:gitrepo}" %{WORD} %{IPV4} %{WORD} %{TIMESTAMP_ISO8601} %{ISO8601_TIMEZONE}

#Result
{
  "started": [
    "Started"
  ],
  "method": [
    "POST"
  ],
  "gitrepo": [
    "/main/builder.git/git-upload-pack"
  ],
  "WORD": [
    "for",
    "at"
  ],
  "IPV4": [
    "127.0.0.1"
  ],
  "TIMESTAMP_ISO8601": [
    "2014-02-13 22:37:10"
  ],
  "YEAR": [
    "2014"
  ],
  "MONTHNUM": [
    "02"
  ],
  "MONTHDAY": [
    "13"
  ],
  "HOUR": [
    "22",
    null,
    "00"
  ],
  "MINUTE": [
    "37",
    null,
    "00"
  ],
  "SECOND": [
    "10"
  ],
  "ISO8601_TIMEZONE": [
    null,
    "+0000"
  ]
}