logstash grok过滤烦恼
[英]logstash grok filter annoyance
问题描述
Thu Sep 27 15:30:27 BST 2012:- Invalid token $_POST[custom], which indicates the amount, userid
This is from a log file I'm trying to parse using grok for logstash. 
这是我正在尝试使用grok解析logstash的日志文件。
The first few fields are ok, and it seemed very close to DATESTAMP_OTHER, but I think that the UK timezone of BST is messing that up. 前几个字段还可以,它看起来非常接近DATESTAMP_OTHER,但我认为BST的英国时区搞砸了。
Got as far as this, but not sure how to make it work! 到目前为止,但不知道如何使它工作!
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %([PMCEB][SD]T) %{YEAR} %{GREEDYDATA:message}
2 个解决方案
解决方案1
11 已采纳 2013-05-19 08:50:44
1) Try out the Grok Debugger which will allow you to test your Grok patterns, on the spot. 1)试用Grok Debugger ,它可以让你在现场测试你的Grok模式。
2) Also, change your %([PMCEB][SD]T) for something like (?<variable_name>(BST)*) to start off with. 2)另外,将(?<variable_name>(BST)*)类的内容更改为%([PMCEB][SD]T) (?<variable_name>(BST)*)以开始。 You are using the wrong syntax for plain regex. 您使用的是正确的正则表达式的错误语法。
3) Most important Read the docs . 3) 最重要的阅读文档 。 Everything I have just mentioned came directly from the docs. 我刚才提到的一切都直接来自文档。
解决方案2
0 2013-02-17 18:14:46
Here is my approach to the problem: 这是我解决问题的方法:
TZEXPANDED (?:[PMCEB][SD]T) MYCUSTOM %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZEXPANDED} %{YEAR}
Or if you prefer: 或者如果您愿意:
MYCUSTOM %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{(?:[PMCEB][SD]T)} %{YEAR}
In my opinion, the first option is better, because you can use the pattern later on for something else 在我看来,第一个选项更好,因为您可以稍后使用该模式来获取其他内容
Greetings 问候
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.