自定义日志行的 Grok 模式
Grok pattern for Custom log line
我是 grok 模式的新手,我正在尝试为下面的自定义日志行编写 grok 模式。
我想提取日志行中给出的字段值,例如ServiceName、SystemDate、SequenceName等,还有TID,[0] [timestamp]。任何帮助将不胜感激。
日志:
TID: [0] [ESB] [2016-08-16 10:35:10,828] [jms-Worker-2] INFO {org.apache.synapse.mediators.builtin.LogMediator} - ServiceName = CustomerService_v1,SystemDate = 8/16/16 10:35 AM,ServerIP = 10.200.42.158,ServerHost = slllasp102.local,SequenceName = SendCustomerToTopic,Message = Going to Send Message to Customer Topic,MessageCode = null,ErrorMessage = null,ErrorDetail = null,ErrorException = null {org.apache.synapse.mediators.builtin.LogMediator}
我的模式:
\[%{TIMESTAMP_ISO8601:timestamp}\]\s+%{WORD:loglevel}\s+-\s+%{GREEDYDATA:ServiceName}
我无法编写一个一个检索字段的正确模式。
我完成了你的 grok 模式,它应该是这样的:
TID: \[%{INT:TID}\] \[ESB\] \[%{TIMESTAMP_ISO8601:timestamp}\]\[jms-Worker-2\]\s+%{WORD:loglevel} {%{GREEDYDATA}} - %{GREEDYDATA:fields} {%{GREEDYDATA}}
然后您使用 kv filter 来提取字段。这样做比使用 grok 过滤器更容易。
配置应如下所示:
kv {
source => "field" # That's the field I created in the grok filter containing the fields (ServiceName = CustomerService_v1,SystemDate = 8/16/16 10:35 AM...)
value_split => "="
field_split => ","
trimkey => " "
trim => " "
}
如果您不想使用 kv 过滤器,则必须将 %{GREEDYDATA:fields} 替换为:\s+ServiceName =%{GREEDYDATA:ServiceName},SystemDate =%{GREEDYDATA:SystemDate},...
我是 grok 模式的新手,我正在尝试为下面的自定义日志行编写 grok 模式。
我想提取日志行中给出的字段值,例如ServiceName、SystemDate、SequenceName等,还有TID,[0] [timestamp]。任何帮助将不胜感激。
日志:
TID: [0] [ESB] [2016-08-16 10:35:10,828] [jms-Worker-2] INFO {org.apache.synapse.mediators.builtin.LogMediator} - ServiceName = CustomerService_v1,SystemDate = 8/16/16 10:35 AM,ServerIP = 10.200.42.158,ServerHost = slllasp102.local,SequenceName = SendCustomerToTopic,Message = Going to Send Message to Customer Topic,MessageCode = null,ErrorMessage = null,ErrorDetail = null,ErrorException = null {org.apache.synapse.mediators.builtin.LogMediator}
我的模式:
\[%{TIMESTAMP_ISO8601:timestamp}\]\s+%{WORD:loglevel}\s+-\s+%{GREEDYDATA:ServiceName}
我无法编写一个一个检索字段的正确模式。
我完成了你的 grok 模式,它应该是这样的:
TID: \[%{INT:TID}\] \[ESB\] \[%{TIMESTAMP_ISO8601:timestamp}\]\[jms-Worker-2\]\s+%{WORD:loglevel} {%{GREEDYDATA}} - %{GREEDYDATA:fields} {%{GREEDYDATA}}
然后您使用 kv filter 来提取字段。这样做比使用 grok 过滤器更容易。 配置应如下所示:
kv {
source => "field" # That's the field I created in the grok filter containing the fields (ServiceName = CustomerService_v1,SystemDate = 8/16/16 10:35 AM...)
value_split => "="
field_split => ","
trimkey => " "
trim => " "
}
如果您不想使用 kv 过滤器,则必须将 %{GREEDYDATA:fields} 替换为:\s+ServiceName =%{GREEDYDATA:ServiceName},SystemDate =%{GREEDYDATA:SystemDate},...