Logstash grok方括号
[英]Logstash grok square brackets
问题描述
I'm trying to get some sort of grok pattern to work with the following logging format : 
我正在尝试使用以下日志记录格式来使用某种grok模式:
*Sun 07:05:18.372 INFO [main] [userID] perf - 0ms - select x from y
The problem I'm having is the field in square brackets that I've annotated here as userID. 我遇到的问题是方括号中的字段,我在这里注释为userID。 Sometimes this field is populated and at other times it is not. 有时这个字段是填充的,有时则不是。 If I use the grok pattern below : 如果我使用下面的grok模式:
*%{DAY:Day} %{TIME:Time} %{LOGLEVEL:Loglevel}\s+(\[%{WORD:module}\]\s+)(\[%{HOSTNAME:id}\]\s+)%{GREEDYDATA:logline}*
It parses correctly as long as there is some data in the UserID field. 只要UserID字段中有一些数据,它就会正确解析。 If that field is empty ( example below ) it doesn't match. 如果该字段为空(例如下面),则它不匹配。 Any ideas gratefully received! 任何想法都感激不尽!
*Sun 07:05:18.372 INFO [main] [] perf - 0ms - select x from y
2 个解决方案
解决方案1
6 2015-07-16 15:07:21
Did you try to escape the brackets with backward slash? 你试图用反斜杠来逃避括号吗? As in \\[%{WORD:module}\\] 如\\[%{WORD:module}\\]
解决方案2
0 2018-04-23 15:33:55
the question is not about the escaping of the [] a simple zero or more operator (?) should do it: 问题不是关于[]一个简单的零或更多运算符(?)的转义应该这样做:
(?\[%{WORD:module}?]\s+)
(the second ?) (第二 ?)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.