I have the following query on cloudwatch logs
fields replace(path,'%20',' ') as pathz
| parse pathz /^(?<url1>.*) [!A-Z0-9-]*(?<url2>[ˆ!].*)$/
| fields concat(url1, url2) as url
| display coalesce(url,pathz) as furl
3 sample pathz parsed are:
/v1/routing/pega-public/prweb/api/v1/assignments/ASSIGN-WORKLIST GNR-AUTO-WORK ST-4102!RACCOLTADATIPRELIMINARI_FLOW
/v1/routing/pega-public/prweb/api/DeviceInfoPackage/v1/SetInitialCaseInfomation
/v1/routing/pega-public/prweb/api/v1/cases/GNR-AUTO-WORK 43FFC9776C00474388A664A8A3E24B68
The desired output is removing the data:
/v1/routing/pega-public/prweb/api/v1/assignments/ASSIGN-WORKLIST GNR-AUTO-WORK RACCOLTADATIPRELIMINARI_FLOW
/v1/routing/pega-public/prweb/api/DeviceInfoPackage/v1/SetInitialCaseInfomation
/v1/routing/pega-public/prweb/api/v1/cases/GNR-AUTO-WORK
but I can't manage to get it
Third line is empty this is because concat output doesn't return 'null' which could be skipped by coalesce but it returns an empty string that is matched
I digged in the doc and in few examples on the internet but there is no way to get this working properly
solved with this:
fields @timestamp, status, replace(path,'%20',' ') as pathx
| parse pathx /(?<a1>^[^ ]+ *[A-Z-]*)( (?<a2>[A-Z0-9-]+){1,2}(?<a3>.*))*/
| filter
| display concat(a1,a3) as cleanurl