Regex path Nginx log


(Merces) #1

Hello,
Can someone help me how to extract the path only from there examples please ?

12.21.47.57 - - [02/Oct/2018:16:29:27 +0300] “GET /otp/validation?code=028041&user=14708515&useragent=android HTTP/1.1” 200 197 “-” “Go-http-client/1.1” “0.017”

12.21.21.16 - - [02/Oct/2018:17:10:08 +0700] “GET /otp/generate?user=1201 HTTP/1.1” 200 157 “-” “Go-http-client/1.1” “0.008”

14.25.23.7 - - [02/Oct/2018:17:10:08 +0700] “POST /otp/request HTTP/1.0” 200 131 “-” “okhttp/3.8.1” “0.195”

41.25.58.63 - - [02/Oct/2018:17:11:48 +0700] “POST /otp/get-validation-status?user_id=10017643&otp_type=200 HTTP/1.0” 200 232 “-” “okhttp/3.8.1” “0.001”

I am using this regex \] "(GET|POST) (.+?)\?.* but the results is GET or POST. If i am using this regex \] "POST (.+?)\s.*. That regex is for POST only, if i am using it for GET method, the result is HTTP/1.1.
How do i extract /otp/any-path/ in GET and POST method ?
Thank you


(Merces) #2


I used this one \"((POST|GET) (.+?))\s.* but it displayed POST and path. How do i throw the POST or GET ?


(Megan) #3

I would recommend using Grok Patterns to extract the data you want. (http://docs.graylog.org/en/2.4/pages/extractors.html#using-grok-patterns-to-extract-data). Grok Debugger actually has an existing grok pattern for Nginx access logs: https://grokdebug.herokuapp.com/patterns#

NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response}  (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{QS:xforwardedfor} %{IPORHOST:host} %{BASE10NUM:request_duration}

#5

If you want to keep regex instead of the good solution provided by megan201296:
“(?:POST|GET|DELETE|PUT|HEAD|OPTIONS|CONNECT)\s(.*?)\sHTTP\/\d\.\d”


(Merces) #6

Noted !
Thank you so much for sharing it.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.