Match string with prefix and suffix use Logstash grok pattern
Question
I have a ELK cluster to keep my logs below, and i want to extract some fields in the log use logstash grok.
[info ][170703 10:34:38.998686/832]acct ok,deal_time=122ms;ACCESS_PORT=216179383538692472&ACCESS_TYPE=2&ACCOUNT=07592111916&Acct-Status-Type=3;
here is my grok pattern.
%{SYSLOG5424SD}\[%{DATA:[@metadata][timestamp]}\/%{NUMBER}\]%{WORD:type}\ %{WORD:status}\,%{GREEDYDATA}%{NUMBER:dealtime}ms\;%{GREEDYDATA}(?<acct>(?<=ACCOUNT=).*)
i want to extract some field's value and give it to the event variable. eg. acct = 07592111916
i use (?(?<=ACCOUNT=).*&$) to extract the value, but not works, where is my problem?
i debug the code in this site. http://grokdebug.herokuapp.com
1 answers
solution1
1 ACCPTED 2017-07-06 09:48:46
我认为您需要这样提取:
(?<acct>(?<=ACCOUNT=)[^&]+)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Logstash grok match pattern for message field
logstash / grok pattern file
How to match a pattern of “a=b c=d” with changing order in grok (logstash)?
Vim regular expression to match string with prefix and suffix
Logstash Grok pattern to cut split a string in the log line using regex
Logstash grok pattern to catch the first line with the string Exception
Logstash grok pattern to extract a part of String starts with and ends with
Use of ?> in Logstash Grok patterns
Logstash Grok pattern with double quotes
Grok pattern for logs sent to logstash
Related Tags