Logstash Grok匹配到UserAgent的最后一个索引
[英]Logstash Grok match to last index unti begin of UserAgent
问题描述
I have this log message: 
我有此日志消息:
"sid-cmascioieiow89322&New*Sou,th%20Skvn%20and%20ir&o,n%20Age,Mozilla/5.0 (Linux; Android 6.0; CHM-U01 Build/HonorCHM-U01) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36"
And the pattern: 和模式:
"(?[^&])&(?[^,]),%{GREEDYDATA:User_Agent}"
The problem is p2 sometimes contains zero or one or more then one comma. 问题是p2有时包含零或一个或多个然后一个逗号。 I want to match to the last comma before UserAgent because UserAgent some time contains commas. 我想匹配UserAgent之前的最后一个逗号,因为UserAgent有时包含逗号。
This is the grok debugger link: https://grokdebug.herokuapp.com/ 这是grok调试器链接: https ://grokdebug.herokuapp.com/
Now: 现在:
{
"p1": [
"sid-cmascioieiow89322"
],
"p2": [
"New*Sou"
],
"User_Agent": [
"th%20Skvn%20and%20iro,n%20Age,Mozilla/5.0 (Linux; Android 6.0; CHM-U01 Build/HonorCHM-U01) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36"
]
}
I want like this: 我想要这样:
{
"p1": [
"sid-cmascioieiow89322"
],
"p2": [
"New*Sou,th%20Skvn%20and%20ir&o,n%20Age"
],
"User_Agent": [
"Mozilla/5.0 (Linux; Android 6.0; CHM-U01 Build/HonorCHM-U01) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36"
]
}
Thank you for your help. 谢谢您的帮助。
1 个解决方案
解决方案1
0 已采纳 2017-06-04 17:47:45
The part of string that you want to capture into p2 part has no whitespaces. 您要捕获到p2部分的字符串部分没有空格。 Thus, instead of a [^,]* pattern that matches any zero or more chars other than , you may use \\S* - any 0+ non-whitespace chars as many as possible, thus \\S*, will match the comma that is the last in the streak of non-whitespace chars. 因此,代替[^,]* ,除其他任何零个或多个字符相匹配的图案,则可以使用\\S* -任何0+ 非空白尽可能多的字符,从而\\S*,将匹配逗号那是非空白字符中的最后一个。
(?<p1>[^&]*)&(?<p2>\S*),%{GREEDYDATA:User_Agent}
^^^^^^^^^^
This is how this regex matches your log data: 这是此正则表达式与您的日志数据匹配的方式:
See the Grok demo screenshot: 请参阅Grok演示屏幕截图:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.