在多线上使用Regex的Spark RDD [String]上的正则表达式
我正在尝试使用scala解析Spark 1.6中的日志文件,这里是示例数据
2017-02-04 04:48:11,123 DEBUG [org.quartz.core.QuartzSchedulerThread] - <batch acquisition of 0 triggers>
2017-02-04 04:48:20,892 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-7d937-yRqp6ObM7JOtkUZ7Ff4yEo95-casino1.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CASINO
WHEN: Sat Feb 04 04:48:20 AEDT 2017
CLIENT IP ADDRESS: 160.50.201.557
SERVER IP ADDRESS: login.cfu.asg
=============================================================
>
2017-02-04 04:48:32,165 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.>
2017-02-04 04:48:32,167 INFO [org.jasig.casino.services.DefaultServicesManagerImpl] - <Loaded 2 services.>
2017-02-04 04:48:38,889 DEBUG [org.quartz.core.QuartzSchedulerThread] - <batch acquisition of 1 triggers>
2017-02-04 04:48:52,790 DEBUG [org.quartz.core.QuartzSchedulerThread] - <batch acquisition of 0 triggers>
2017-02-04 04:48:52,790 DEBUG [org.quartz.core.JobRunShell] - <Calling execute on job DEFAULT.serviceRegistryReloaderJobDetail>
2017-02-04 04:48:52,790 INFO [org.jasig.casino.services.DefaultServicesManagerImpl] - <Reloading registered services.>
2017-02-04 04:48:52,792 DEBUG [org.jasig.casino.services.DefaultServicesManagerImpl] - <Adding registered service ^(https?|imaps?)://.*>
2017-02-04 04:48:52,792 DEBUG [org.jasig.casino.services.DefaultServicesManagerImpl] - <Adding registered service
2017-02-04 04:48:52,792 INFO [org.jasig.casino.services.DefaultServicesManagerImpl] - <Loaded 2 services.>
2017-02-04 04:49:14,365 INFO [org.jasig.casino.services.DefaultServicesManagerImpl] - <Reloading registered services.>
2017-02-04 04:49:14,366 INFO [org.jasig.casino.services.DefaultServicesManagerImpl] - <Loaded 2 services.>
2017-02-04 04:49:19,699 DEBUG [org.quartz.core.QuartzSchedulerThread] - <batch acquisition of 0 triggers>
2017-02-04 04:49:43,465 DEBUG [org.quartz.core.QuartzSchedulerThread] - <batch acquisition of 0 triggers>
2017-02-04 04:50:00,978 INFO [org.jasig.casino.authentication.PolicyBasedAuthenticationManager] - <JaasAuthenticationHandler successfully authenticated >
2017-02-04 04:50:00,978 INFO [org.jasig.casino.authentication.PolicyBasedAuthenticationManager] - <Authenticated 3785973 with credentials.>
2017-02-04 04:50:00,978 INFO [org.jasig.inspektr.nhgij.support.Slf4jLogggbhAuditTrailManaver] - <Audit trail record BEGIN
=============================================================
WHO: z3705z73
WHAT: supplied credentials: [d37c5973]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: casinoINO
WHEN: Sat Feb 04 04:50:00 AEDT 2017
CLIENT IP ADDRESS: 101.181.28.555
SERVER IP ADDRESS: login.cfu.asg
=============================================================
>
数据继续存在,模式之间可能存在其他日志数据,这与我的解析无关。我有大约40GB的文件,每个文件包含一天的数据。
所有这些文件都是gzip压缩的。我尝试使用sc.wholeTextFiles来获得一对RDD,但是当每个文件在400mb到800mb(未压缩)之间时,会遇到Java堆空间错误。
所以我开始使用sc.textFile并尝试一个读取一个文件。我可以创建一个RDD [String],幸运的是sc.textFile在对此RDD运行任何操作时都不会返回任何堆空间问题。
这是我试过的代码。
val casinop2 = sc.wholeTextFiles("/logdata/casino/catalina.out-20150228.gz")
val casop = casinop2.flatMap(x=>x.split("\n"))
.filter(x=> !(x.contains("Reloading registered services") || x.contains("Loaded 2 services.") || x.contains("DEBUG") || x.contains("ERROR") || x.contains("java.lang.RuntimeException") || x.contains("Caused by:") || x.contains("Granted ticket") || x.contains("java.lang.IllegalStateException") || x.startsWith("\t") || x.contains("org.jasig.cas.authentication.PolicyBasedAuthenticationManager") ))
val pattern = new Regex("""((\d{4})-(\d{2})-\d{2}\s\d{2}:\d{2}:\d{2}),\d{3}\s+(\w+)\s+\[(.*)\]\s+\-\s+\<.*\s\=*\s+([W][H][O]\:)\s+(.*)\s+([W][H][A][T]\:)\s+(.*)\s+([A][C][T][I][O][N]\:)\s+(.*)\s+([A][P][P][L][I][C][A][T][I][O][N]\:)\s+(.*)\s+([W][H][E][N]\:)\s+(.*)\s+([A-Z\s]{17}\:)\s+(.*)\s+([A-Z\s]{17}\:)\s+(.*)\s+\=*\s\s\>""")
pattern: scala.util.matching.Regex = ((\d{4})-(\d{2})-\d{2}\s\d{2}:\d{2}:\d{2}),\d{3}\s+(\w+)\s+\[(.*)\]\s+\-\s+\<.*\s\=*\s+([W][H][O]\:)\s+(.*)\s+([W][H][A][T]\:)\s+(.*)\s+([A][C][T][I][O][N]\:)\s+(.*)\s+([A][P][P][L][I][C][A][T][I][O][N]\:)\s+(.*)\s+([W][H][E][N]\:)\s+(.*)\s+([A-Z\s]{17}\:)\s+(.*)\s+([A-Z\s]{17}\:)\s+(.*)\s+\=*\s\s\>
case class MLog(datetime: String, message: String, process: String, who: String, what: String, action: String, application: String, when: String, clientipaddress: String, serveripaddress: String,year: String, month: String)
pattern.findAllMatchIn(casop.collect.toString).toList
现在最后一个语句抛出了我的heapspace错误。我想将rdd变成字符串变量的原因是正则表达式需要多行输入,而不是单行。对于单行,我会使用地图,平面图等。
我应该从日志文件中得到的输出
|2017-02-04 04:54:41| INFO|org.jasig.inspekt...| s4542732|supplied credenti...|AUTHENTICATION_SU...| CAS|Sat Feb 04 04:54:...| 175.163.28.77|login.vu.edu.au|2017| 02|
|2017-02-04 04:54:41| INFO|org.jasig.inspekt...| s4542732|TGT-78959-EX63Wf2...|TICKET_GRANTING_T...| CAS|Sat Feb 04 04:54:...| 175.163.28.77|login.vu.edu.au|2017| 02|
|2017-02-04 04:54:41| INFO|org.jasig.inspekt...| 4542732|ST-474481-jTxCJFB...|SERVICE_TICKET_CR...| CAS|Sat Feb 04 04:54:...| 175.163.28.77|login.vu.edu.au|2017| 02|
|2017-02-04 04:54:44| INFO|org.jasig.inspekt...|audit:unknown|ST-474481-jTxCJFB...|SERVICE_TICKET_VA...| CAS|Sat Feb 04 04:54:...| 203.13.194.68|login.vu.edu.au|2017| 02|
|2017-02-04 04:55:02| INFO|org.jasig.inspekt...| s3785573|supplied credenti...|AUTHENTICATION_SU...| CAS|Sat Feb 04 04:55:...| 101.181.28.125|login.vu.edu.au|2017| 02|
|2017-02-04 04:55:02| INFO|org.jasig.inspekt...| s3785573|TGT-78960-yWaWkcN...|TICKET_GRANTING_T...| CAS|Sat Feb 04 04:55:...| 101.181.28.125|login.vu.edu.au|2017| 02|
|2017-02-04 04:55:02| INFO|org.jasig.inspekt...| 3785573|ST-474482-rARxdUG...|SERVICE_TICKET_CR...| CAS|Sat Feb 04 04:55:...| 101.181.28.125|login.vu.edu.au|2017| 02|
|2017-02-04 04:55:02| INFO|org.jasig.inspekt...|audit:unknown|ST-474482-rARxdUG...|SERVICE_TICKET_VA...| CAS|Sat Feb 04 04:55:...| 203.13.194.68|login.vu.edu.au|2017| 02|
+-------------------+-------+--------------------+-------------+--------------------+--------------------+-----------+--------------------+---------------+---------------+----+-----+
我们如何阅读多行输入并输入正则表达式?
1 个答案:
答案 0 :(得分:1)
我已经修复并改进了你的正则表达式,它现在应该适用于几行上的最后一个日志:
正则表达式是以下野兽:
(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}),\d{3}\s+(\w+)\s+\[(.*)\]\s+\-\s+<[^>]*\s\=*\s+WHO\:\s+([^>\n]*)\s+WHAT\:\s+([^>\n]*)\s+ACTION\:\s+([^>\n]*)\s+APPLICATION\:\s+([^>\n]*)\s+WHEN\:\s+([^>\n]*)\s+([A-Z\s]{17}\:)\s+([^>\n]*)\s+([A-Z\s]{17}\:)\s+([^>\n]*)\s+\=*\s\s>
我已经使用您应该根据您的具体需求调整的以下替换模式对您的日志进行了尝试:
\1 | \2 | \3 | WHO:\4 | WHAT: \5 | ACTION: \6 | APPLICATION: \7 | WHEN: \8 | \9 $10 | $11 $12
结果如下:
最后但同样重要的是,您可能需要更改堆大小:--executor-memory 10g
- 正则表达式与多行字符串
- 使用多行字符串替换Javascript多行字符串
- Spark RDD [(String,String)]到RDD [Map [String,String]]
- Scala - RDD [string]到RDD [vector]
- 将RDD [String]转换为RDD [Array [String]]
- 将RDD [String,String]转换为RDD [Int,Int]
- 将字符串RDD转换为Int RDD
- RDD类型的Spark RDD上的聚合函数[String,Int,String]
- 在多线上使用Regex的Spark RDD [String]上的正则表达式
- 将RDD [(String,Map [String,Int])]展平为RDD [String,String,Int]
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?