Hello,
Can someone help me how to extract the path
only from there examples please ?
12.21.47.57 - - [02/Oct/2018:16:29:27 +0300] “GET /otp/validation?code=028041&user=14708515&useragent=android HTTP/1.1” 200 197 “-” “Go-http-client/1.1” “0.017”
12.21.21.16 - - [02/Oct/2018:17:10:08 +0700] “GET /otp/generate?user=1201 HTTP/1.1” 200 157 “-” “Go-http-client/1.1” “0.008”
14.25.23.7 - - [02/Oct/2018:17:10:08 +0700] “POST /otp/request HTTP/1.0” 200 131 “-” “okhttp/3.8.1” “0.195”
41.25.58.63 - - [02/Oct/2018:17:11:48 +0700] “POST /otp/get-validation-status?user_id=10017643&otp_type=200 HTTP/1.0” 200 232 “-” “okhttp/3.8.1” “0.001”
I am using this regex \] "(GET|POST) (.+?)\?.*
but the results is GET or POST. If i am using this regex \] "POST (.+?)\s.*
. That regex is for POST only, if i am using it for GET method, the result is HTTP/1.1
.
How do i extract /otp/any-path/
in GET and POST method ?
Thank you
I used this one
\"((POST|GET) (.+?))\s.*
but it displayed POST and
path
. How do i throw the POST or GET ?
I would recommend using Grok Patterns to extract the data you want. (http://docs.graylog.org/en/2.4/pages/extractors.html#using-grok-patterns-to-extract-data ). Grok Debugger actually has an existing grok pattern for Nginx access logs: https://grokdebug.herokuapp.com/patterns#
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{QS:xforwardedfor} %{IPORHOST:host} %{BASE10NUM:request_duration}
frantz
October 8, 2018, 11:17am
5
If you want to keep regex instead of the good solution provided by megan201296:
“(?:POST|GET|DELETE|PUT|HEAD|OPTIONS|CONNECT)\s(.*?)\sHTTP\/\d\.\d”
Noted !
Thank you so much for sharing it.
system
(system)
Closed
October 22, 2018, 11:19am
7
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.