Fatal编程技术网
  • regex/
  • Regex 使用logstash库筛选日志文件

Regex 使用logstash库筛选日志文件

regex logstash

Regex 使用logstash库筛选日志文件,regex,logstash,elapsed,Regex,Logstash,Elapsed,我正在尝试筛选以下日志文件: +---------+---------+---------+---------+---------+---------+---------+---- .Logon hostname/username, *** Logon successfully completed. *** Teradata Database Release is 14.00.06.05 *** Teradata Database Version is 14.00.06.05 ***

我正在尝试筛选以下日志文件:

+---------+---------+---------+---------+---------+---------+---------+----
.Logon hostname/username,

 *** Logon successfully completed.
 *** Teradata Database Release is 14.00.06.05
 *** Teradata Database Version is 14.00.06.05
 *** Transaction Semantics are BTET.
 *** Session Character Set Name is 'ASCII'.

 *** Total elapsed time was 1 second.

+---------+---------+---------+---------+---------+---------+---------+----
select current_timestamp as started_test;

 *** Query completed. One row found. One column returned.
 *** Total elapsed time was 1 second.

                    started_test
--------------------------------
2014-10-06 17:44:39.220000+00:00

+---------+---------+---------+---------+---------+---------+---------+----
select * from database.view sample 2;

 *** Query completed. 2 rows found. 41 columns returned.
 *** Total elapsed time was 2 seconds.


select current_timestamp as finished_test;

 *** Query completed. One row found. One column returned.
 *** Total elapsed time was 1 second.

                   finished_test
--------------------------------
2014-10-06 17:44:41.330000+00:00
用这个logstash过滤器

input{
        file {
                path => "/home/iv41/perfmon.log"
        }
        stdin {}
}

filter {
        grok{
                match => ["message", "%{/\s+started_test/:start_time} START id: (?<task_id>.*)"]
                add_tag => ["testStarted"]
        }

        grok{
                match => ["message", "%{/\s+finished_test/:end_time} END id: (?<task_id>.*)"]
                add_tag => ["testEnded"]
        }

        if [start_time] != "/\s+started_test/"{
                if [end_time] != "/\s+finished_test/"{
                        drop {}
                }
        }

        elapsed {
                start_tag => "testStarted"
                end_tag => "testEnded"
                unique_id_field => "task_id"
        }
}

output{
        stdout {}
}
我想我的正则表达式和任务ID可能有问题

从本质上说,我试图抽出从开始测试到完成测试所花费的时间。有人知道更好的方法吗?或者知道我的代码在哪里?

%{NAMED_PATTERN:capture_name}语法用于命名捕获。您还需要使用多行编解码器或过滤器将这些行组合在一起,以便能够正确匹配。感谢Alcanzar。正如您所指出的,它使用命名的_模式语法进行匹配,但我不知道如何在单词为“started”或“finished”的条件下标记它。我在grok中尝试了一个If语句,但它失败了,出现了一个错误,表示If在那里不应出现..您不想使用!=在那里。。你想用!~文档显示regexp:=~~