GROK pattern to match URIPATH

Here is my sample URL

http://localhost:8080/abc2/query/errorLogs

was trying to extract only query/errorLogs. For this i have tried below GROK patten

(%{URIPROTO}://%{URIHOST}(?<path>/[^/]+/[^/]+/[^/]+))

Below output i am getting

{
  "URIPROTO": [
    [
      "http"
    ]
  ],
  "URIHOST": [
    [
      "localhost:8080"
    ]
  ],
  "IPORHOST": [
    [
      "localhost"
    ]
  ],
  "HOSTNAME": [
    [
      "localhost"
    ]
  ],
  "IP": [
    [
      null
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      null
    ]
  ],
  "port": [
    [
      "8080"
    ]
  ],
  "path": [
    [
      "/abc2/query/errorLogs"
    ]
  ]
}

but i was expecting path should be "/query/errorLogs".

Solution

try this :

(%{URIPROTO}://%{URIHOST}(?<first_path>/[^/]+)%{GREEDYDATA:path})

result:

port    8080
first_path  /abc2
path    /query/errorLogs

how to remove /r from field value in logstash grok
Writing a grok pattern for key value pairs
Grok pattern for [Mon Jan 04 08:36:12 2021]
logstash unable to connect to elasticsearch
Elasticsearch - Logstash Grok new field date formate is string and not date
How to parse this content in kibana using grok pattern?
What's wrong with my logstash filter grok syntax?
Syntax for Lookahead and Lookbehind in Grok Custom Pattern
How to match a data that appears 0 or 1 times in grok?
Logstash add a field of type Date
Grok syntax and distinct if it is a new entry or continuation of previuoys one
Grok filter for class name containing $
Grok Syntax Issues
Regular expression to get topics from MikroTik logs
Unable to use grok in Logstash pipeline to manipulate message
Netfilter syslog message Grok pattern
How to remove \r in Logstash
Getting only the relevant part of a Kafka message as an input for Logstrash
How to set time in log as main @timestamp in elasticsearch
Regex java exception exclude "Caused by:"
Is there a way to test Elasticsearch mutate locally?
All messages receive a "user level notice"
How to replace a pattern after specific character in logstash message
Regex (grok) - create general pattern for log which occurs but don't have to
How to parse log with "dynamically" double quotes
Logstash Grok regex expression works fine alone but doesn't work when grouped with other grok expressions
How do I make this regular expression work?
Grok pattern to extract specific data only from log
How to add country name field based on mobile number using Mobile_Number using logstash
Grok pattern for matching content in already parsed log line