多行的 Grok 模式不起作用
Grok Pattern for multiline is not working
1st| 2nd|3rd |4th |5th |6th |7th |8th |2012.07.12 05:31:04 |10th |ProductDir: C:\samplefiles\test\storage.0 (LF)
C:\samplefiles\test\storage.0 (LF)
SampleDir: (LF)
注意:LF -> 换行 正在追加
我已经尝试了以下选项..似乎没有任何效果
match => [ "message", "(?m)....(?<message>(.|\r|\n)*)- Greedydata 也没有工作,因为它没有考虑换行。
mutate {gsub => ["message", "\n", "LINE_BREAK"] }codec => multiline { pattern => "^\s" negate => true what => previous }
(?m)%{GREEDYDATA} 将匹配任何多行日志,包括您的日志。
请测试一下here
下面的对我有用。
codec => multiline{
pattern => "^\s*\d{1,}\|"
negate => "true"
what => "previous"
}
1st| 2nd|3rd |4th |5th |6th |7th |8th |2012.07.12 05:31:04 |10th |ProductDir: C:\samplefiles\test\storage.0 (LF) C:\samplefiles\test\storage.0 (LF) SampleDir: (LF)
注意:LF -> 换行 正在追加
我已经尝试了以下选项..似乎没有任何效果
match => [ "message", "(?m)....(?<message>(.|\r|\n)*)- Greedydata 也没有工作,因为它没有考虑换行。
mutate {gsub => ["message", "\n", "LINE_BREAK"] }codec => multiline { pattern => "^\s" negate => true what => previous }
(?m)%{GREEDYDATA} 将匹配任何多行日志,包括您的日志。
请测试一下here
下面的对我有用。
codec => multiline{
pattern => "^\s*\d{1,}\|"
negate => "true"
what => "previous"
}