Grok 调试 - 首先仅匹配正则表达式未按预期工作
Grok debugging - Match first only regex not working as intended
所以我有以下日志消息:
[localhost-startStop-1] SystemPropertiesConfigurer$ExportingPropertyOverrideConfigurer loadProperties > Loading properties file from class path resource [SystemConfiguration.overrides]
我正在尝试将第一个线程 ( [localhost-startStop-1] ) 与以下模式匹配:
EVENT_THREAD (\[.+?\])
这在我将它传递给 regex101.com 时起作用,但当我将它表示为
时不起作用
%{(\[.+?\]):EVENT_THREAD} on grokdebugger for reasons unknown to me...
谁能帮我理解一下?
谢谢,
参见Grok help:
Sometimes logstash doesn’t have a pattern you need. For this, you have a few options.
First, you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field:
(?<field_name>the pattern here)
所以,使用(?<EVENT_THREAD>\[.+?\])
。
Alternately, you can create a custom patterns file.
Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)
In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.
# contents of ./patterns/postfix:
EVENT_THREAD (?:\[.+?\])
Then use the patterns_dir
setting in this plugin to tell logstash where your custom patterns
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{EVENT_THREAD:evt_thread}" }
}
}
所以我有以下日志消息:
[localhost-startStop-1] SystemPropertiesConfigurer$ExportingPropertyOverrideConfigurer loadProperties > Loading properties file from class path resource [SystemConfiguration.overrides]
我正在尝试将第一个线程 ( [localhost-startStop-1] ) 与以下模式匹配:
EVENT_THREAD (\[.+?\])
这在我将它传递给 regex101.com 时起作用,但当我将它表示为
时不起作用%{(\[.+?\]):EVENT_THREAD} on grokdebugger for reasons unknown to me...
谁能帮我理解一下?
谢谢,
参见Grok help:
Sometimes logstash doesn’t have a pattern you need. For this, you have a few options.
First, you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field:
(?<field_name>the pattern here)
所以,使用(?<EVENT_THREAD>\[.+?\])
。
Alternately, you can create a custom patterns file.
Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)
In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.
# contents of ./patterns/postfix:
EVENT_THREAD (?:\[.+?\])
Then use the
patterns_dir
setting in this plugin to tell logstash where your custom patterns
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{EVENT_THREAD:evt_thread}" }
}
}