I have the following log events both on the same source log:
Log 1:
[21/Jul/2016:11:34:28 +0000] 99.125.125.201 "AB" "53096a9f-cef9-4047-83a5-07deda1d2939" "POST /call/service HTTP/1.1" 200 211 0.001
Regex:
rex "(?<IP>[^ ]+) \"(?<PartnerId>\\w+)\" \"(?<correlationId>[^\"]+)\"\ \"(?<ServiceCall>.*?)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>.*)"
Log 2:
[21/Jul/2016:11:35:43 +0000] 99.125.95.251 "03483b34-1cc2-42d7-b612-db545efab897" "POST /call/service HTTP/1.1" 200 10448 0.002
Regex:
rex "(?<IP>[^ ]+) \"(?<correlationId>[^\"]+)\"\ \"(?<ServiceCall>.*?)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>.*)"
Question:
What will be the Regex that covers both cases?
Thanks,
Lp
What about this?
| rex "^\[\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} [\-\+]\d{4}\] (?<IP>[^ ]+) (\"(?<PartnerId>\w+)\" )?\"(?<correlationId>[^\"]+)\" \"(?<ServiceCall>[^\"]+)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>[\d\.]+)$"
This works with your sample data on regex101.com.
rex "(?<IP>[^ ]+) (:\"(?<PartnerId>\w+)\" )?\"(?<correlationId>[^\"]+)\"\ \"(?<ServiceCall>.*?)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>.*)"
It does not work. Thanks,
It works in regex101.com. Be sure to escape the '"' characters in your rex command.
What about this?
| rex "^\[\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} [\-\+]\d{4}\] (?<IP>[^ ]+) (\"(?<PartnerId>\w+)\" )?\"(?<correlationId>[^\"]+)\" \"(?<ServiceCall>[^\"]+)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>[\d\.]+)$"
It does work.
Thanks,
Lp
No worries. If you are happy with the answer can you mark it as such so that others can benefit from it?