如何在grok中解析文本 [英] how do you parse text in grok
本文介绍了如何在grok中解析文本的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要使用grok从此路径捕获两个变量:
I need to capture two variables from this path using grok:
/opt/data/app_log/server101.log
server=needs to be anything after the last forward slash before the dot (in this case server101)
index=needs to be the text between the last two forward slashes (in this case app_log)
有什么想法可以用grok做到吗?
Any ideas how could do this in grok?
grok {
patterns_dir => ["/pattern"]
match =>{path =>"%{WORD:dir1}\/%{WORD:dir2}\/%{WORD:index_name}\/%{WORD:server}\.%{WORD:file_type}"}
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp},%{NUMBER:Num_field} %{WORD:error_level} %{GREEDYDATA:origin}, %{WORD:logger} - %{GREEDYDATA:message}"}
}
推荐答案
最简单的解决方案是
/%{DATA:col1}/%{DATA:col2}/%{DATA:index}/%{DATA:server}\.%{GREEDYDATA:end}
您可以删除名称col1
,col2
和end
以删除这些捕获.
you can remove the names col1
, col2
, and end
to drop those captures.
此模式依赖于URI中始终有相同数量的部分.如果存在可变数字,则可以使用类似这样的内容.
This pattern relies on there always being the same number of parts in your URI. If there are a variable number you could use something like this.
(?:/%{USER})*/%{DATA:index}/%{DATA:server}\.%{GREEDYDATA:end}
我使用 grok构造器制作并测试了这些
I made and tested these using the grok constructor
使用此模式:
filter {
grok {
match => {
"message" => <message-pattern>
}
}
grok {
match => {
"log_path" => "(?:/%{USER})*/%{DATA:index}/%{DATA:server}\.%{GREEDYDATA}"
}
}
}
其中"log_path"
是包含您进行常规邮件解析后的日志路径的字段的名称.
Where "log_path"
is the name of the field containing the log path after you do your normal message parsing.
这篇关于如何在grok中解析文本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文