如何组合字符以在 GROK 中创建自定义模式
How to combine characters to create custom pattern in GROK
我是 logstash 和 grok 的新手,对模式有疑问。
Jul 26 09:46:37
以上内容包含%{MONTH} %{MONTHDAY} %{TIME}和空格。
我需要知道如何组合所有这些并创建一个模式%{sample_timestamp}
谢谢!
引自 Grok Custom Patterns Docs (RTFM):
First, you can use the Oniguruma syntax for named capture which will
let you match a piece of text and save it as a field:
(?<field_name>the pattern here)
...
Alternately, you can create a custom patterns file.
- Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)
- In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.
因此您可以创建一个包含以下行的模式文件:
CUST_DATE %{MONTH} %{MONTHDAY} %{TIME}
Then use the patterns_dir setting in this plugin to tell logstash
where your custom patterns directory is.
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{CUST_DATE:datestamp}" }
}
}
将导致字段:
datestamp => "Jul 26 09:46:37"
过滤器
使用pattern_definitions定义你的模式
filter {
grok {
pattern_definitions => { "MY_DATE" => "%{MONTH} %{MONTHDAY} %{TIME}" }
match => { "message" => "%{MY_DATE:timestamp}" }
}
}
结果
{
"timestamp": "Jul 26 09:46:37"
}
使用 Logstash 6.5 测试
我是 logstash 和 grok 的新手,对模式有疑问。
Jul 26 09:46:37
以上内容包含%{MONTH} %{MONTHDAY} %{TIME}和空格。
我需要知道如何组合所有这些并创建一个模式%{sample_timestamp}
谢谢!
引自 Grok Custom Patterns Docs (RTFM):
First, you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field:
(?<field_name>the pattern here)...
Alternately, you can create a custom patterns file.
- Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)
- In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.
因此您可以创建一个包含以下行的模式文件:
CUST_DATE %{MONTH} %{MONTHDAY} %{TIME}
Then use the patterns_dir setting in this plugin to tell logstash where your custom patterns directory is.
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{CUST_DATE:datestamp}" }
}
}
将导致字段:
datestamp => "Jul 26 09:46:37"
过滤器
使用pattern_definitions定义你的模式
filter {
grok {
pattern_definitions => { "MY_DATE" => "%{MONTH} %{MONTHDAY} %{TIME}" }
match => { "message" => "%{MY_DATE:timestamp}" }
}
}
结果
{
"timestamp": "Jul 26 09:46:37"
}
使用 Logstash 6.5 测试