grok过滤器(regex)用于提取方括号内的字符串
我的应用程序日志条目如下所示:grok过滤器(regex)用于提取方括号内的字符串,regex,pattern-matching,logstash-grok,square-bracket,Regex,Pattern Matching,Logstash Grok,Square Bracket,我的应用程序日志条目如下所示: 2015-06-24 14:03:16.7288 Sent request message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74] <Request>sometext</Request> 2015-06-24 14:38:05.2460 Received response message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74] <Response>
2015-06-24 14:03:16.7288 Sent request message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74] <Request>sometext</Request>
2015-06-24 14:38:05.2460 Received response message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74] <Response>sometext</Response>
2015-06-24 14:03:16.7288发送请求消息[649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74]一些文本
2015-06-24 14:38:05.2460收到响应消息[649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74]一些文本
grok {
match => ["message", "(?<content>(<Request(.)*?</Request>))"]
match => ["message", "(?<clienttoken>(Sent request message \[(.)*?\]))"]
add_tag => "Request"
break_on_match => false
tag_on_failure => [ ]
}
grok {
match => ["message", "(?<content>(<Response(.)*?</Response>))"]
match => ["message", "(?<clienttoken>(Received response message \[(.)*?\]))"]
add_tag => "Response"
break_on_match => false
tag_on_failure => [ ]
}
grok{
match=>[“message”,“(?(您可以使用lookback和lookahead断言
(?<=Sent request message \[).*?(?=\])
(?是否有任何方法打印组索引1?”(?(收到的响应消息\[(.*)\])”
是否有人有完整的grok语法示例用于匹配此(与字段名)?我似乎在自定义匹配模式中嵌套我的“向前看/向后看”时遇到问题。例如(?)?(?@Toby你找到答案了吗?面对同样的问题。我的前向和后向使用REGEX工具,但使用logstash它们fail@AgentX我没有,也没有得到答复。
Content = <Response>sometext</Response>
clienttoken = Received response message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74]
Content = <Request>sometext</Request>
clienttoken = 649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74
(?<=Sent request message \[).*?(?=\])