[英]grok - how do you find a quoted string
我正在尝试从nginx日志文件中获取输出,并将其发送到logstash。
10.1.10.20 - bob [14/Feb/2014:18:57:05 +0000] “POST /main/foo.git/git-upload-pack HTTP/1.1” 200 3653189 “-” “git/1.8.3.4 (Apple Git–47)”
格罗克能够找到前三个字很好
10.1.10.20 - bob [14/Feb/2014:18:57:05 +0000]
%{IPV4:user_ip} - %{USERNAME:user_name} \[%{HTTPDATE:time_local}\]
Grok能够很好地找到第三个和第四个单词
[14/Feb/2014:18:57:05 +0000] “POST /main/foo.git/git-upload-pack HTTP/1.1”
\[%{HTTPDATE:time_local}\] %{QUOTEDSTRING:request}
但是,当我将它们组合起来并尝试找到全部4个时,grok表示没有结果(使用http://grokdebug.herokuapp.com/进行测试)
10.1.10.20 - bob [14/Feb/2014:18:57:05 +0000] “POST /main/foo.git/git-upload-pack HTTP/1.1”
%{IPV4:user_ip} - %{USERNAME:user_name} \[%{HTTPDATE:time_local}\] %{QUOTEDSTRING:request}
#not found
在上面的示例中,有人知道如何获取带引号的字符串吗?
我是grok的新手,所以也许我没有正确地做到这一点。
更新资料
有趣的是,如果我使用以下日志行,然后手动输入网址,它确实可以工作
bob 14/Feb/2014:18:57:05 +0000 "herp"
#Once herp works, replace herp, with POST
bob 14/Feb/2014:18:57:05 +0000 "POST"
#Once POST works, keep expounding until the whole thing is in place
autobuild 14/Feb/2014:18:57:05 +0000 "POST /main/builder.git/git-upload-pack HTTP/1.1"
"POST /main/builder.git/git-upload-pack HTTP/1.1"
“%{WORD:动词}%{URIPATHPARAM:请求} HTTP /%{NUMBER:httpversion}”
发布到堆栈溢出的过程确定了问题。
如果仔细看,双引号的解析方式会有所不同
"POST
与
“POST
手动输入双引号可解决问题
您还可以在日志更改的情况下使用此表达式:
"%{WORD:verb}(?:| %{URIPATHPARAM:request})(?:| HTTP/%{NUMBER:httpversion})"
它与以下项匹配:
"POST /main/builder.git/git-upload-pack HTTP/1.1"
要么
"POST /main/builder.git/git-upload-pack"
要么
"POST"
试试吧.. ;)
使用pyparsing,如何解析以反斜杠结尾的带引号的字符串
[英]With pyparsing, how do you parse a quoted string that ends with a backslash
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.