我有一个复杂的grok过滤器表达式...是否可以获得此过滤器转换为的正则表达式?
答案 0 :(得分:2)
您可以使用一个简单的Perl脚本来读取模式文件,并将%{PATTERN}内容替换为它所基于的实际正则表达式 - 您必须自定义这一点,但它显示了如何做到这一点:
#!/usr/bin/perl
# this is the path to your grok-patterns file
open(F,"patterns/grok-patterns");
while (<F>) {
chomp;
if (/^(\S+) (.*)/) {
$pattern{$1} = $2;
}
}
close(F);
# this is the grok pattern I want to expand
$pattern='%{IP:junk} %{COMBINEDAPACHELOG:junk2}';
while ($pattern =~ /(%\{([^:\}]+):?[^\}]*\})/) {
$name = $2;
substr($pattern,$-[0],$+[0]) = $pattern{$name};
}
print $pattern,"\n";