Karim
Reputation: 187
Regex match not always present elements
I have these inputs:
+36919:60546a74:0|POST /api/v1/transactions
-36919:60546a74:0
I am looking for a regex (or a grok pattern) to give me these outputs:
For the first line:
in_out: +
id: 36919:60546a74:0
method: POST
url: /api/v1/transactions
For the second line:
in_out: -
id: 36919:60546a74:0
Thanks a lot!
EDIT:
I tried this pattern:
IN_OUT [+-]{1}
FORENSIC_ID .*?(?=\|?)
CUSTOM %{IN_OUT:in_out}%{FORENSIC_ID:forensic_id}\|%{WORD:method} %{URIPATHPARAM:request}
It gives me good result for the first line, but not for the second because there is no "|" after the ID.
Upvotes: 1
Views: 120
Answers (2)
Karim
Reputation: 187
The answer above is correct. Thanks a lot!
In grok syntax:
IN_OUT [+-]
FORENSIC_ID [\w:]+
OPTIONAL [\|]?%{WORD:method}\s%{URIPATHPARAM:request}
CUSTOM %{IN_OUT:in_out}%{FORENSIC_ID:forensic_id}%{OPTIONAL:rest}*
Upvotes: 0
Wiktor Stribiżew
Reputation: 626845
You can use the following regex:
^(?<in_out>[-+])(?<id>[\w:]+)(?:\|(?<method>[A-Z]+)\s+(?<url>/.*))?
See the regex demo.
Details:
^- start of string(?<in_out>[-+])- Group "in_out": a-or+char(?<id>[\w:]+)- Group "id": one or more word or:chars(?:\|(?<method>[A-Z]+)\s+(?<url>/.*))?- an optional non-capturing group:\|- a|char(?<method>[A-Z]+)- Group "method": one or more uppercase ASCII letters\s+- one or more whitespaces(?<url>/.*)- Group "url": a/and then any zero or more chars to the end of line
Upvotes: 1
Related Questions
- GROK Parsing with regex
- logstash log parsing with regex and grok
- logstash grok - how to do conditional pattern matching?
- grok parsing issue
- Regular expressions for grok pattern
- Regex match if exist or ignore
- Logstash grok filter regex
- Logstash Grok pattern with multiple matches
- Regexp in Grok sometimes catches a value sometimes not
- Logstash pattern matching more than it should