I have these inputs:
+36919:60546a74:0|POST /api/v1/transactions
-36919:60546a74:0
I am looking for a regex (or a grok pattern) to give me these outputs:
For the first line:
in_out: +
id: 36919:60546a74:0
method: POST
url: /api/v1/transactions
For the second line:
in_out: -
id: 36919:60546a74:0
Thanks a lot!
EDIT:
I tried this pattern:
IN_OUT [+-]{1}
FORENSIC_ID .*?(?=\|?)
CUSTOM %{IN_OUT:in_out}%{FORENSIC_ID:forensic_id}\|%{WORD:method} %{URIPATHPARAM:request}
It gives me good result for the first line, but not for the second because there is no "|" after the ID.
You can use the following regex:
^(?<in_out>[-+])(?<id>[\w:]+)(?:\|(?<method>[A-Z]+)\s+(?<url>/.*))?
See the regex demo.
Details:
^ - start of string(?<in_out>[-+]) - Group "in_out": a - or + char(?<id>[\w:]+) - Group "id": one or more word or : chars(?:\|(?<method>[A-Z]+)\s+(?<url>/.*))? - an optional non-capturing group:
\| - a | char(?<method>[A-Z]+) - Group "method": one or more uppercase ASCII letters\s+ - one or more whitespaces(?<url>/.*) - Group "url": a / and then any zero or more chars to the end of line