Grok 调试 - 首先仅匹配正则表达式未按预期工作

Grok debugging - Match first only regex not working as intended

所以我有以下日志消息:

[localhost-startStop-1] SystemPropertiesConfigurer$ExportingPropertyOverrideConfigurer loadProperties    > Loading properties file from class path resource [SystemConfiguration.overrides]

我正在尝试将第一个线程 ( [localhost-startStop-1] ) 与以下模式匹配:

EVENT_THREAD (\[.+?\])

这在我将它传递给 regex101.com 时起作用,但当我将它表示为

时不起作用
%{(\[.+?\]):EVENT_THREAD} on grokdebugger for reasons unknown to me...

谁能帮我理解一下?

谢谢,

参见Grok help

Sometimes logstash doesn’t have a pattern you need. For this, you have a few options.

First, you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field:

(?<field_name>the pattern here)

所以,使用(?<EVENT_THREAD>\[.+?\])

Alternately, you can create a custom patterns file.

Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)
In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.

# contents of ./patterns/postfix:
EVENT_THREAD (?:\[.+?\])

Then use the patterns_dir setting in this plugin to tell logstash where your custom patterns

filter {
  grok {
    patterns_dir => ["./patterns"]
    match => { "message" => "%{EVENT_THREAD:evt_thread}" }
  }
}