5

I have the following query on cloudwatch logs

fields replace(path,'%20',' ') as pathz | parse pathz /^(?<url1>.*) [!A-Z0-9-]*(?<url2>[ˆ!].*)$/ | fields concat(url1, url2) as url | display coalesce(url,pathz) as furl

3 sample pathz parsed are:

/v1/routing/pega-public/prweb/api/v1/assignments/ASSIGN-WORKLIST GNR-AUTO-WORK ST-4102!RACCOLTADATIPRELIMINARI_FLOW /v1/routing/pega-public/prweb/api/DeviceInfoPackage/v1/SetInitialCaseInfomation /v1/routing/pega-public/prweb/api/v1/cases/GNR-AUTO-WORK 43FFC9776C00474388A664A8A3E24B68

The desired output is removing the data:

/v1/routing/pega-public/prweb/api/v1/assignments/ASSIGN-WORKLIST GNR-AUTO-WORK RACCOLTADATIPRELIMINARI_FLOW /v1/routing/pega-public/prweb/api/DeviceInfoPackage/v1/SetInitialCaseInfomation /v1/routing/pega-public/prweb/api/v1/cases/GNR-AUTO-WORK

but I can't manage to get it

Third line is empty this is because concat output doesn't return 'null' which could be skipped by coalesce but it returns an empty string that is matched

I digged in the doc and in few examples on the internet but there is no way to get this working properly

Improve this question
0

1 Answer 1

Reset to default
6

solved with this:

fields @timestamp, status, replace(path,'%20',' ') as pathx | parse pathx /(?<a1>^[^ ]+ *[A-Z-]*)( (?<a2>[A-Z0-9-]+){1,2}(?<a3>.*))*/ | filter | display concat(a1,a3) as cleanurl
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.