日志文件中的Logstash可选字段 [英] Logstash optional fields in logfile

问题描述

我正在尝试使用grok解析日志文件

日志文件的每一行都有用逗号分隔的字段:

13,home,ABC,Get,,Private, Public,1.2.3 ecc...

我正在使用像这样的比赛: match => [ "message", "%{NUMBER:requestId},%{WORD:ServerHost},%{WORD:Service}, ...

我的问题是:我可以允许可选字段吗? 有时某些文件可能为空,,

是否存在与这样的字符串匹配的模式2.3.5? (一种版本号)

解决方案

grok的基础是正则表达式，因此您可以将()?包围在模式中以使其成为可选项-例如(%{NUMBER:requestId})?,

如果没有适合您需要的grok模式，您总是可以创建一个这样的命名提取:(?<version>[\d\.]+)它将提取到版本中，其中包含任意数字和点的字符串. >

I'm trying to parse a logfile using grok

Each line of the logfile has fields separated by commas:

13,home,ABC,Get,,Private, Public,1.2.3 ecc...

I'm using match like this: match => [ "message", "%{NUMBER:requestId},%{WORD:ServerHost},%{WORD:Service},...

My question is: Can I allow optional field? At times some of the fileds might be empty ,,

Is there a pattern that matches a string like this 2.3.5 ? ( a kind of version number )

解决方案

At it's base, grok is based on regular expressions, so you can surround a pattern with ()? to make it optional -- for example (%{NUMBER:requestId})?,

If there isn't a grok pattern that suits your needs, you can always create a named extraction like this: (?<version>[\d\.]+) which would extract into version, a string that has any number of digits and dots in it.

这篇关于日志文件中的Logstash可选字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！