elasticsearch,Logstash,Grok,Logz.io" />
elasticsearch,logstash,grok,logz.io,Regex,Regex 使用Grok从路径字符串和返回路径中过滤出UUID
下面是我试图筛选的日志的一行示例:Regex 使用Grok从路径字符串和返回路径中过滤出UUID,regex,
elasticsearch,logstash,grok,logz.io,Regex,
Request starting HTTP/1.1 GET http://api0.api.sin/api/social/v1/owner/4b3b60f6-1a54-4fbc-87b5-cc44496a6dbf/feeds/notifications/unread/count
{
"message": [
[
"Request starting"
]
],
"httpversion": [
[
"1.1"
]
],
"BASE10NUM": [
[
"1.1"
]
],
"verb": [
[
"GET"
]
],
"request": [
[
"http://api0.api.sin/api/social/v1/owner/feeds/notifications/unread/count"
]
],
"uuid": [
[
"4b3b60f6-1a54-4fbc-87b5-cc44496a6dbf"
]
]
}
%{DATA:message}(?: HTTP/%{NUMBER:httpversion}) %{WORD:verb} %{NOTSPACE:request}%{UUID:uuid}%{NOTSPACE:request}
您可以将UUID之前和之后的部分捕获到单独的组中,然后可以将这两个值合并到一个字段中:
grok {
match => {
"message" => "%{DATA:message}(?: HTTP/%{NUMBER:httpversion}) %{WORD:verb} %{NOTSPACE:request1}/%{UUID:uuid}%{NOTSPACE:request2}"
}
}
mutate {
add_field => {
"request" => "%{request1}%{request2}"
}
}
request1request2mutaterequest%{DATA:message}(?: HTTP/%{NUMBER:httpversion}) %{WORD:verb} (?<request>.*?(?<UUID>[a-fA-F0-9]{8}(?:-[a-fA-F0-9]{4}){3}-[a-fA-F0-9]{12})\S*)
%{DATA:message}(?:HTTP/%{NUMBER:httpversion})%{WORD:verb}(?.*?(?[a-fA-F0-9]{8}(?:-[a-fA-F0-9]{4}){3}-[a-fA-F0-9]{12})\S*)
因为无法将两个不相交的文本字符串匹配到一个捕获组中谢谢你的回答,但我使用的是logzio,我无法访问logstash的过滤器,如mutate,如果可能的话,我只能用grok来解决这个问题。@NatanGirma无论如何,你不能将两个不相交的文本字符串匹配到一个捕获组中,所以你被卡住了。您可能应该发出支持通知单。好的,谢谢您的建议,我将与支持团队联系。@NatanGirma我添加了一种解决方法,
请求