堆栈内存溢出
  简体   繁体   English

Logstash Grok 正则表达式单独运行良好,但与其他 grok 表达式组合时不起作用

[英]Logstash Grok regex expression works fine alone but doesn't work when grouped with other grok expressions

 原文  2022-11-26 19:34:40       logstash/ logstash-grok/ filebeat/ logstash-configuration

问题描述

My grok expression works fine when used with the matching string alone but when I use this grok expression with other grok expressions to capture other data that's also present in the log line, it doesn't match with the same matching string.当单独与匹配字符串一起使用时,我的 grok 表达式工作正常,但是当我将此 grok 表达式与其他 grok 表达式一起使用以捕获日志行中也存在的其他数据时,它与相同的匹配字符串不匹配。

Case1: Below grok expression is working fine when running alone for the below log string and the value is captured in the field targetMessage案例 1:下面的 grok 表达式在针对下面的日志字符串单独运行时工作正常,并且值在字段targetMessage中捕获

Log string: Tracking: sent request to msgDestination Grok expression: (?<targetMessage>^Tracking: (?:received response from|sent request to) msgDestination$)日志字符串: Tracking: sent request to msgDestination Grok 表达式: (?<targetMessage>^Tracking: (?:received response from|sent request to) msgDestination$)

Case2: When I try to run the expression with other some other data also present in the log string it doesn't work ie grok expression doesn't match with the same string as used above.案例 2:当我尝试使用日志字符串中也存在的其他一些其他数据运行表达式时,它不起作用,即 grok 表达式与上面使用的相同字符串不匹配。

Log string: 2022-11-26 8:16:39,873 INFO [task.SomeTask] Tracking: sent request to msgDestination: MODULE1|SERVICE1|20220330051054|TASK1日志字符串: 2022-11-26 8:16:39,873 INFO [task.SomeTask] Tracking: sent request to msgDestination: MODULE1|SERVICE1|20220330051054|TASK1

Grok expression: %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} \[(?<classname>[^\]]+)\] (?<targetMessage>^Tracking: (?:received response from|sent request to) msgDestination$): %{WORD:moduleName}\|%{WORD:service}\|%{INT:requestId}\|%{WORD:taskName} Grok 表达式: %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} \[(?<classname>[^\]]+)\] (?<targetMessage>^Tracking: (?:received response from|sent request to) msgDestination$): %{WORD:moduleName}\|%{WORD:service}\|%{INT:requestId}\|%{WORD:taskName}

Debug tool used: https://grokdebug.herokuapp.com/使用的调试工具: https://grokdebug.herokuapp.com/

If anyone can please suggest what mistake I'm making here?如果有人可以建议我在这里犯了什么错误?

1 个解决方案

解决方案1
 1 已采纳  2022-11-26 19:59:07

^ and $ anchor an expression to the start and end of a line respectively. ^ 和 $ 分别将表达式锚定到的开头和结尾。 You have both inside the targetMessage custom pattern, and that is in the middle of the line, so neither one matches.您在 targetMessage 自定义模式中同时拥有这两个模式,并且位于该行的中间,因此两者都不匹配。 Remove both ^ and $删除 ^ 和 $

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 RegEx 过滤器在 RegExr 中有效,但在 Logstash Grok 中无效 - RegEx Filter Works In RegExr But Not Logstash Grok Logstash grok 过滤器对最后一个字段不起作用 - Logstash grok filter doesn't work for the last field 为什么Logstash Grok正则表达式组不起作用? - why logstash grok regex group not work? Logstash Grok过滤器正则表达式 - Logstash grok filter regex Logstash grok 和正则表达式过滤器 - Logstash grok & regex filter Logstash Grok不会更改@timestamp - Logstash Grok doesn't change @timestamp Logstash grok 与特定字段不匹配 - Logstash grok doesn't match for specific field Grok模式在Grok调试器中有效,但在Logstash配置中无效 - Grok pattern works in Grok debugger but not in logstash config Logstash:多行数据的grok表达式 - Logstash: grok expression for multiline data 使用正则表达式和 grok 进行 logstash 日志解析 - logstash log parsing with regex and grok
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM