logstash grok模式将标签留空
[英]logstash grok pattern to leave tags empty
问题描述
I am trying to leave one of the pattern as blank when the corresponding tag is not found. 
当找不到对应的标签时,我试图将模式之一留为空白。 But somehow, next match is getting substituted. 但是不知何故,下一场比赛将被替换。
I have a logline as below 我有一条如下的日志
[2017-10-19 09:41:07,204: INFO/Worker-5] <test id = '123:4567', name = 'example_testcase'><TID:0b46030ee6f14055b41b796a4eebfef2><RID:01234567>POST some url to post
I tried this below grok pattern matching 我在下面的grok模式匹配中尝试了这个
^\[%{TIMESTAMP_ISO8601:timestamp}%{DATA}%{LOGLEVEL:log_level}/%{DATA:work_id}\]%{SPACE}(?:<%{DATA:message_headers}>)?(<TID:%{DATA:tid}>)?(<RID:%{BASE10NUM:rid}>)?%{GREEDYDATA:log_message}
This works good as along as message_headers is found, if it is not found, then message headers is getting substituted with TID. 这与查找message_headers一样有效,如果未找到,则消息标头将替换为TID。 ex: 例如:
[2017-10-19 09:41:07,204: INFO/Worker-5] <TID:0b46030ee6f14055b41b796a4eebfef2><RID:01234567>POST some url to post
then the grok pattern, should leave message_headers as blank. 那么grok模式应将message_headers保留为空白。 instead TID is sitting in message_headers. 而是TID坐在message_headers中。 Can anyone help how to achieve this functionality. 任何人都可以帮助实现此功能。
1 个解决方案
解决方案1
2 2017-10-20 18:32:25
I removed optional expression "?" 我删除了可选表达式“?” after tid and it works. 经过潮汐,它的工作原理。 Thanks 谢谢
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.