我想从一个以Exception结尾的字符串中获取前10个字符。 示例:我有这样的字段:
"ERRORMESSAGE" => "local exporter [default_local] - failed to delete indice
s\r\nRemoteTransportException[[data-2][10.0.x.x:x300][indices:admin/delete]];
nested: IndexNotFoundException[no such index];\r\nCaused by: [.marvel-es-1-2017
.06.07] IndexNotFoundException[no such index]\r\n at org.elasticsearch.cl
uster.metadata.MetaDataDeleteIndexService$1.execute(MetaDataDeleteIndexService.j
ava:91)\r\n at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(C
lusterStateUpdateTask.java:45)\r\n at org.elasticsearch.cluster.service.I
nternalClusterService.runTasksForExecutor(InternalClusterService.java:468)\r\n
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run
(InternalClusterService.java:772)\r\n at org.elasticsearch.common.util.co
ncurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndCl
ean(PrioritizedEsThreadPoolExecutor.java:231)\r\n at org.elasticsearch.co
mmon.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunna
ble.run(PrioritizedEsThreadPoolExecutor.java:194)\r\n at java.util.concur
rent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\r\n at ja
va.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\r\
n at java.lang.Thread.run(Thread.java:745)\r",
我需要捕获以Exception结尾的字符串。为此,我使用了这个
grok {
match => ["ERRORMESSAGE", "(?<ExceptionType>{10}.Exception)"]
}
我在哪里找到以Exception结尾的字符串的前10个字符,但我收到此错误{:exception=>"RegexpError"。还有一个问题是,如果有更多字符串以ERRORTYPE字段中的Exception结尾,那么上面的grok是否会产生两个或更多ExceptionType个字段?
由于
答案 0 :(得分:0)
正确的正则表达式为(?<ExceptionType>.{10}Exception)。量词({10})必须在它量化的令牌之前(.)(至少它是我理解它的方式,我不是正则表达式专家)。
grok过滤器将返回第一个匹配项。
在您的示例中,它将是eTransportException。