I'm trying to clear up a log entry within an ELK stack using grok. I have the following text to still tackle:
/mnt/drive/fish/Cap Camel/Indigo - [Fair Game].jpg (34523) [2,0,34523,0,0,2,2]
/mnt/drive/fish/Cap Camel/Indigo - [Fair Game].jpg
/mnt/drive/fish/Cap Camel (1358)/Indigo - [Fair Game].jpg
I want the path but it contains spaces, caps and special characters etc?
Thanks
Since your third example contains " (", we can't use that to spot the change in the first line.
The only think that seems to tie these lines together is the ".jpg". You said that it may not always be jpg, but hopefully they all have suffixes.
With that assumption - and also that the path itself doesn't contain any periods, this pattern works in the debugger:
(?<file>[^\.]*\.[^ ]*)
"Anything that is not a period, followed by a period, followed by anything that is not a space".