Question

以下只是我日志的一小部分：

2018-12-06 18:55:20 INFO  epo - myfile.xml is loaded successfully
2018-12-06 18:55:20 INFO  epo - checking that whether the given file name is already present
2018-12-06 18:55:20 INFO  epo - some logging deatils
2018-12-06 18:55:20 INFO  epo - Entry has been added to table.
2018-12-06 18:55:20 INFO  epo - Total number of records processed 0000035
2018-12-06 18:55:20 INFO  epo - some logging deatils
2018-12-07 09:57:59 INFO  epo - myfile.xml is loaded successfully
2018-12-07 09:57:59 INFO  epo - [ElasticSearch] => PIN07122018F00001 request sent successfully.
2018-12-06 18:55:20 INFO  epo - myfile.xml is loaded successfully
2018-12-06 18:55:20 INFO  epo - checking that whether the given file name is already present
2018-12-06 18:55:20 INFO  epo - some logging deatils
2018-12-06 18:55:20 INFO  epo - Entry has been added to table.
2018-12-06 18:55:20 INFO  epo - Total number of records processed 0000035
2018-12-06 18:55:20 INFO  epo - some logging deatils
2018-12-07 09:57:59 INFO  epo - myfile.xml is loaded successfully
2018-12-07 09:57:59 INFO  epo - [ElasticSearch] => PIN07122018F00002 request sent unsuccessfully.

在此日志中，我想选择包含请求ID（例如PIN07122018F00001和PIN07122018F00002）的行，并将其发送到Elastic Search。

我为此目的使用logstash，而我的grok模式是：

input {
  . . .
}

filter {
  grok {
    patterns_dir => ["/myServer/mnt/appln/folder1/folder2/logstash/pattern"]
    match => { "message" => '^%{TIMESTAMP_ISO8601:timestamp} INFO  epo - \[ElasticSearch\] => %{REQ_ID:requestid} %{MSG:statusmsg}$' }
  }
}

output{
    . . .
}

其中DEPOSITORY_REQ_ID和MSG定义为：

MSG (A-Za-z0-9 )+
REQ_ID PIN[0-9]{8}[A-Z]{1}[0-9]{5}

但是我仍然无法匹配所需的行，这种模式占用了所有行。请告诉我匹配行的模式是什么：

2018-12-07 09:57:59 INFO epo-[ElasticSearch] => PIN07122018F00001 请求已成功发送。

请帮助。

Answer 1

问题出在MSG模式上。 ()表示捕获组，它将尝试匹配()的确切内容。您要使用的情况是[]，它表示一个字符类，它将匹配该类中的所有字符。此外，它也缺少出现在行尾的.。

应该用这种方式定义您的模式，这将解决您的问题：

MSG [A-Za-z0-9 \.]+

此自定义日志模式的Grok模式将是什么？

1 个答案: