多个自定义的grok模式不匹配,但它们单独成功匹配?
[英]Multiple custom grok patterns not matching, but they successfully match alone?
问题描述
Grok matches single custom patterns, but does match when custom patterns are combined. 
Grok匹配单个定制模式,但是在组合定制模式时匹配。
Complete, working, an verifiable example 完整,有效,可验证的示例
Sample data: 样本数据:
OK 05/20 20:12:10:067 ABC_02~~DE_02 FGH_IJK jsmith _A0011
Custom patterns: 自定义模式:
MMDD [0-1][0-9]/[0-3][0-9]
THREAD _A\w+
They work separately; 他们分开工作; specifically, this pattern works by itself: 具体来说,这种模式本身可以工作:
%{MMDD:mmdd}
// Result
{
"mmdd": [
[
"05/20"
]
]
}
... and this pattern works by itself: ...并且这种模式本身起作用:
%{THREAD:thread}
// Result
{
"thread": [
[
"_A0011"
]
]
}
..but together, they fail: ..但在一起,它们失败了:
%{MMDD:mmdd} %{THREAD:keyword}
No Matches
Puzzling. 令人费解。 Tyvm Keith :^) 泰姆·基思(Tyvm Keith):^)
Testing here: https://grokdebug.herokuapp.com/ 在此处进行测试: https : //grokdebug.herokuapp.com/
Regex Resource: https://regex101.com/ 正则表达式资源: https : //regex101.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDIT based on Jeff Y's comment below 根据以下Jeff Y的评论进行编辑
Note change of keyword to thread 注意将keyword更改为thread
// Grok Pattern
%{MMDD:mmdd}%{DATA}%{THREAD:thread}
// Result
{
"mmdd": [
[
"05/20"
]
],
"DATA": [
[
" 20:12:10:067 ABC_02~~DE_02 FGH_IJK jsmith "
]
],
"thread": [
[
"_A0011"
]
]
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDIT 2 based on Jeff Y's second comment below 编辑2基于Jeff Y在下面的第二条评论
// Data - HACKED - Note move of _A0011 to after mm/dd
OK 05/20 _A0011 20:12:10:067 ABC_02~~DE_02 FGH_IJK jsmith
// Grok Pattern
%{MMDD:mmdd} %{THREAD:thread}
// Result
{
"mmdd": [
[
"05/20"
]
],
"thread": [
[
"_A0011"
]
]
}
1 个解决方案
解决方案1
1 2019-08-01 00:25:32
Grok will test your patterns against the whole message. Grok将针对整个消息测试您的模式。
If your message is OK 05/20 _A0011 20:12:10:067 ABC_02~~DE_02 FGH_IJK jsmith and you only want the 05/20 and _A0011 part, your grok should have patterns to match the rest of string, but do not save them in a field. 如果你的消息是OK 05/20 _A0011 20:12:10:067 ABC_02~~DE_02 FGH_IJK jsmith而您只需要在05/20和_A0011一部分,你神交应该有模式,以字符串的其余部分相匹配,但不保存他们在一个领域。
For example, the pattern %{WORD}%{SPACE}%{MMDD:mmdd}%{SPACE}%{THREAD:thread}%{SPACE}%{GREEDYDATA} will match your string, it will save the mmdd and thread fiealds, but ignore everything else. 例如,模式%{WORD}%{SPACE}%{MMDD:mmdd}%{SPACE}%{THREAD:thread}%{SPACE}%{GREEDYDATA}将与您的字符串匹配,它将保存mmdd并清除thread ,但请忽略其他所有内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.