Logstash 模式匹配超过它应该的

Logstash pattern matching more than it should

我有一个日志行(多行匹配),如下所示:

3574874    14/Jul/2016 20:42:37 +0000  ERROR [http-bio-0.0.0.0-8443-exec-128] error_jsp            _jspService    > could not lock: [com.myCompany.myProject.bean.scheduling.Area#6306]; SQL [/* UPGRADE lock com.myCompany.myProject.bean.scheduling.Area */ select Area_id from Area_ID where Area_id =? and Area_Version =? for update]; nested exception is org.hibernate.exception.LockAcquisitionException: could not lock: [com.myCompany.myProject.bean.scheduling.Area#6306]
org.springframework.dao.CannotAcquireLockException: could not lock: [com.myCompany.myProject.bean.scheduling.MyClass#6306]; SQL [/* UPGRADE lock com.myCompany.myProject.bean.scheduling.MyClass */ select Area_ID from Area where Area =? and Area =? for update]; nested exception is org.hibernate.exception.LockAcquisitionException: could not lock: [com.myCompany.myProject.bean.scheduling.Area#6306]
    at org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:639)
    at org.springframework.orm.hibernate3.HibernateExceptionTranslator.convertHibernateAccessException(HibernateExceptionTranslator.java:89)
    at org.springframework.orm.hibernate3.HibernateExceptionTranslator.translateExceptionIfPossible(HibernateExceptionTranslator.java:68)
    at org.springframework.dao.support.ChainedPersistenceExceptionTranslator.translateExceptionIfPossible(ChainedPersistenceExceptionTranslator.java:58)
    at org.springframework.dao.support.DataAccessUtils.translateIfNecessary(DataAccessUtils.java:213)
    at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:163)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:633)
    at com.myCompany.myProject.dal.hibernate.Impl$$EnhancerBySpringCGLIB$5be625.lock(<generated>)
    at com.myCompany.myProject.scheduling.Area.AreaClose(MyClass.java:1265)
    at com.myCompany.myProject.scheduling.Area.handleProviderDisconnect(MyClass.java:1190)
    at com.myCompany.myProject.scheduling.Area$$FastClassBySpringCGLIB$0c3d67.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:700)

我的模式文件是这样安排的:

    # AW Tomcat formatting
    TOMCAT_DATE %{MONTHDAY}[./-]%{MONTH}[./-]%{YEAR}
    TOMCAT_TS %{BASE10NUM}
    #%{BASE10NUM}
    TOMCAT_TIME %{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
    TOMCAT_THREAD \[(.+?)\]
    TOMCAT_CLASS [A-Za-z0-9]+
    TOMCAT_CLASS_METHOD %{NOTSPACE}
    TOMCAT_TIMESTAMP %{TOMCAT_DATE}[\s]+%{TOMCAT_TIME}
    TOMCAT_MESSAGE .+
    TOMCAT_IP %{IP}
    TOMCAT_DATA %{NOTSPACE}

    TOMCAT_LOG (?:%{TOMCAT_TS:log_ts})[\s]+(?:%{TOMCAT_TIMESTAMP:log_timestamp})[\s]+%{INT}[\s]+(?:%{LOGLEVEL:log_level})[\s]+(?:%{TOMCAT_THREAD:thread})[\s]+(?:%{TOMCAT_CLASS:class_name})[\s]$

当我在 logstash 中查看它时,似乎线程的代码匹配的不仅仅是线程......它一直匹配到 [com.myCompany.myProject.bean.scheduling.MyClass#6306];

当我只获取 space 的线程和正则表达式并将其扔到 regexr 或 regex101 上时,我无法使用以下方法重新创建它:

\[(.+?)\][\s]+

有谁知道为什么正则表达式在除 logstash 之外的所有地方都有效?此外,这也适用于大约 99.5% 的传入 tomcat 日志....

您的日志中有 +。您需要将其与 \+ 匹配,或将其设为可选 \+?:

TOMCAT_LOG (?:%{TOMCAT_TS:log_ts})\s+(?:%{TOMCAT_TIMESTAMP:log_timestamp})\s+\+?%{INT}\s+(?:%{LOGLEVEL:log_level})\s+(?:%{TOMCAT_THREAD:thread})\s+(?:%{TOMCAT_CLASS:class_name})\s*$
                                                                             ^^^