In the following log entry as "_raw":
"OPTIONS /nnrf-nfm/v1 HTTP/2.0" 405 173 "-" "gmlc-http-client/2.0" "-"
I have successful rex for the "405" error field location and "173" error field location.
I would like to build a rex to identify the "gmlc-http-client" section of that log entry. (That field can show several different client types between those quotes.)
My rex is as follows:
rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\""
This rex does not error, but the result comes back as null/blank.
Try these. One is greedier than the other.
| rex field=_raw "\"OPTIONS([^\"]*)?HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"
| rex field=_raw "HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"
rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\""This rex does not error, but the result comes back as null/blank.
The expression "(?<Error3>)" positively looks for zero-length match, hence zero-length Error3. @johnhuang's suggestion of (?<Error3>[^\"]+) will fix this. Overall, the above is too rigid. Although httpd logs are highly standard, it is not safe to assume that a blank field ("-") will always be blank, for example. Expressions like [^\"]+ are good lubricants for this purpose.
Try these. One is greedier than the other.
| rex field=_raw "\"OPTIONS([^\"]*)?HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"
| rex field=_raw "HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"
The second suggestion did the trick. Thank you!