Logstash日志时间日期解析
Logstash log time and date parsing
您好,我有以下日志
12-Apr-2021 16:11:41.078 WARNING [https-jsse-nio2-8443-exec-3] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked user [user1]
我正在尝试为 logstash 构建这些模式。
我有关注
%{MY_DATE_PATTERN:timestamp}\s%{WORD:severity}\s\[%{DATA:thread}\]\s%{NOTSPACE:type_log}
解析如下
{
"timestamp": [
"12-Apr-2021 16:01:01.505"
],
"severity": [
"FINE"
],
"thread": [
"https-jsse-nio2-8443-exec-8"
],
"type_log": [
"org.apache.catalina.realm.CombinedRealm.authenticate"
]
}
我的日期戳是一个自定义模式,它适用于 grok 调试器,但不适用于我正在使用的系统,因此我需要帮助才能使用正则表达式获取日期和时间。有人能帮帮我吗?
2021 年 4 月 12 日 16:11:41.078 GROK REGEX
代替%{MY_DATE_PATTERN:timestamp},您可以使用
(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND})
%{MONTHDAY} - (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])%{MONTH} - \b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b%{YEAR} - (?>\d\d){1,2}`%{HOUR} - (?:2[0123]|[01]?[0-9])%{MINUTE} - (?:[0-5][0-9])%{SECOND} - (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?).
您好,我有以下日志
12-Apr-2021 16:11:41.078 WARNING [https-jsse-nio2-8443-exec-3] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked user [user1]
我正在尝试为 logstash 构建这些模式。
我有关注
%{MY_DATE_PATTERN:timestamp}\s%{WORD:severity}\s\[%{DATA:thread}\]\s%{NOTSPACE:type_log}
解析如下
{
"timestamp": [
"12-Apr-2021 16:01:01.505"
],
"severity": [
"FINE"
],
"thread": [
"https-jsse-nio2-8443-exec-8"
],
"type_log": [
"org.apache.catalina.realm.CombinedRealm.authenticate"
]
}
我的日期戳是一个自定义模式,它适用于 grok 调试器,但不适用于我正在使用的系统,因此我需要帮助才能使用正则表达式获取日期和时间。有人能帮帮我吗?
2021 年 4 月 12 日 16:11:41.078 GROK REGEX
代替%{MY_DATE_PATTERN:timestamp},您可以使用
(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND})
%{MONTHDAY}-(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])%{MONTH}-\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b%{YEAR} -(?>\d\d){1,2}`%{HOUR}-(?:2[0123]|[01]?[0-9])%{MINUTE}-(?:[0-5][0-9])%{SECOND}-(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?).