如何在grok中解析文本 [英] how do you parse text in grok
本文介绍了如何在grok中解析文本的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要使用grok从此路径捕获两个变量:
I need to capture two variables from this path using grok:
/opt/data/app_log/server101.log
server=needs to be anything after the last forward slash before the dot (in this case server101)
index=needs to be the text between the last two forward slashes (in this case app_log)
有什么想法可以用grok做到吗?
Any ideas how could do this in grok?
grok {
patterns_dir => ["/pattern"]
match =>{path =>"%{WORD:dir1}\/%{WORD:dir2}\/%{WORD:index_name}\/%{WORD:server}\.%{WORD:file_type}"}
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp},%{NUMBER:Num_field} %{WORD:error_level} %{GREEDYDATA:origin}, %{WORD:logger} - %{GREEDYDATA:message}"}
}
推荐答案
最简单的解决方案是
/%{DATA:col1}/%{DATA:col2}/%{DATA:index}/%{DATA:server}\.%{GREEDYDATA:end}
您可以删除名称col1,col2和end以删除这些捕获.
you can remove the names col1, col2, and end to drop those captures.
此模式依赖于URI中始终有相同数量的部分.如果存在可变数字,则可以使用类似这样的内容.
This pattern relies on there always being the same number of parts in your URI. If there are a variable number you could use something like this.
(?:/%{USER})*/%{DATA:index}/%{DATA:server}\.%{GREEDYDATA:end}
我使用 grok构造器制作并测试了这些
I made and tested these using the grok constructor
使用此模式:
filter {
grok {
match => {
"message" => <message-pattern>
}
}
grok {
match => {
"log_path" => "(?:/%{USER})*/%{DATA:index}/%{DATA:server}\.%{GREEDYDATA}"
}
}
}
其中"log_path"是包含您进行常规邮件解析后的日志路径的字段的名称.
Where "log_path" is the name of the field containing the log path after you do your normal message parsing.
这篇关于如何在grok中解析文本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
