How to filter a value from the request line of log

Question

I have the following log and I need to filter only salePoint from it.

"GET /supero/global/grocery/fullgrainMenu.jsp?id=cat12216&salePoint=0012FT&locale=es_ES&version=0510091431 HTTP/1.1"

I tried \"(%{NOTSPACE:request}(?:&salePoint=%{DATA:salePoint})?)\" but it giving wrong output

"salePoint": "0012FT&locale=es_ES&version=0510091431 HTTP/1.1"

Expected output is "salePoint": "0012FT

Thanks

Answer 1

Since the question specified that the intention is to find and filter only salePoint, you can use the following grok pattern:

(%{GREEDYDATA:before})?(salePoint=%{WORD:salePoint})(%{GREEDYDATA:after})?

---

Explanation :

1. before : It stores the optional data before salePoint entry is found.
2. salePoint : this stores the salePoint value
3. after : It stores the optional data after salePoint.

As always you can use add more to the pattern if you need to filter out more fields.

---

Example :

"GET /supero/global/grocery/fullgrainMenu.jsp?id=cat12216&salePoint=0012FT&locale=es_ES&version=0510091431 HTTP/1.1"

With the above pattern output is :

{
  "before": [
    [
      ""GET /supero/global/grocery/fullgrainMenu.jsp?id=cat12216&"
    ]
  ],
  "salePoint": [
    [
      "0012FT"
    ]
  ],
  "after": [
    [
      "&locale=es_ES&version=0510091431 HTTP/1.1""
    ]
  ]
}

---

Please use Grok Debugger to play around with the pattern.