Regex match not always present elements

Question

I have these inputs:

+36919:60546a74:0|POST /api/v1/transactions

-36919:60546a74:0

I am looking for a regex (or a grok pattern) to give me these outputs:

For the first line:

in_out: +
id: 36919:60546a74:0
method: POST
url: /api/v1/transactions

For the second line:

in_out: -
id: 36919:60546a74:0

Thanks a lot!

EDIT:

I tried this pattern:

IN_OUT [+-]{1}
FORENSIC_ID .*?(?=\|?)
CUSTOM %{IN_OUT:in_out}%{FORENSIC_ID:forensic_id}\|%{WORD:method} %{URIPATHPARAM:request}

It gives me good result for the first line, but not for the second because there is no "|" after the ID.

So, what was the pattern you tried? BTW, `-36919:60546a74` has no `:0` at the end, you can't match what is not present in the string. — Wiktor Stribiżew, Mar 19 '21 at 09:53
What if you just use `^(?[-+])(?[\w:]+)(?:\|(?[A-Z]+)\s+(?/.*))?`? — Wiktor Stribiżew, Mar 19 '21 at 10:02

score 1 · Accepted Answer · answered Mar 19 '21 at 10:33

You can use the following regex:

^(?<in_out>[-+])(?<id>[\w:]+)(?:\|(?<method>[A-Z]+)\s+(?<url>/.*))?

See the regex demo.

Details:

^ - start of string
(?<in_out>[-+]) - Group "in_out": a - or + char
(?<id>[\w:]+) - Group "id": one or more word or : chars
(?:\|(?<method>[A-Z]+)\s+(?<url>/.*))? - an optional non-capturing group:
- \| - a | char
- (?<method>[A-Z]+) - Group "method": one or more uppercase ASCII letters
- \s+ - one or more whitespaces
- (?<url>/.*) - Group "url": a / and then any zero or more chars to the end of line

score 0 · Answer 2 · answered Mar 19 '21 at 11:12

0

The answer above is correct. Thanks a lot!

In grok syntax:

IN_OUT [+-]
FORENSIC_ID [\w:]+
OPTIONAL [\|]?%{WORD:method}\s%{URIPATHPARAM:request}
CUSTOM %{IN_OUT:in_out}%{FORENSIC_ID:forensic_id}%{OPTIONAL:rest}*

answered Mar 19 '21 at 11:12

Karim

187
10

Regex match not always present elements

2 Answers2