Regex 用于匹配重复k/v对和logstash中的尾随字符串的正则表达式
我需要写一点正则表达式,这有点过头了。这里的目标是在logstash筛选器中解析以下类型的日志行:Regex 用于匹配重复k/v对和logstash中的尾随字符串的正则表达式,regex,logstash-grok,regex-greedy,Regex,Logstash Grok,Regex Greedy,我需要写一点正则表达式,这有点过头了。这里的目标是在logstash筛选器中解析以下类型的日志行: severity=I time=2017-02-23T10:04:31Z [SKYLIGHT] [0.5.1] Unable to start severity=I time=2017-02-23T10:04:31Z adapter=redis adapter_host=1.1.1.1 Cache read: /model/reference/6235290d29a17a935f4d3d72d2e
severity=I time=2017-02-23T10:04:31Z [SKYLIGHT] [0.5.1] Unable to start
severity=I time=2017-02-23T10:04:31Z adapter=redis adapter_host=1.1.1.1 Cache read: /model/reference/6235290d29a17a935f4d3d72d2e0a903750dd54b
severity=I time=2017-02-23T10:04:31Z remote_ip=1.1.1.1 uuid=daa8090d method=GET path=/somepath.json format=json controller=app action=index status=200 duration=30.47 view=10.04
severity=D time=2017-02-23T10:04:31Z remote_ip=1.1.1.1 uuid=daa8090d SOLR Request (18.3ms) [path=/admin/luke parameters={numTerms: 0}]
基本上,输出格式是一组任意的k=v对,后跟偶尔出现的“原始消息”。直接使用logstash k/v过滤器会产生不需要的行为,因为后面的“message”可以嵌套k=v格式,比如上面最后一行日志中的path=/admin/luke。我的工作计划是将日志捕获为两部分,即作为字符串的k/v对和尾随消息,在这一点上,k/v字符串可以发送到正常的logstash kv过滤器。例如,最终的日志行将生成两个组:
severity=D time=2017-02-23T10:04:31Z remote_ip=1.1.1.1 uuid=daa8090d
SOLR Request (18.3ms) [path=/admin/luke parameters={numTerms: 0}]
日志文档的最终目标是:
[
{
"severity": "I",
"time": "2017-02-23T10:04:31Z",
"message": "[SKYLIGHT] [0.5.1] Unable to start"
},
{
"severity": "I",
"time": "2017-02-23T10:04:31Z"
"adapter": "redis",
"adapter_host": "1.1.1.1",
"message": "Cache read: /model/reference/6235290d29a17a935f4d3d72d2e0a903750dd54b"
},
{
"severity": "I",
"time": "2017-02-23T10:04:31Z",
"message": "[SKYLIGHT] [0.5.1] Unable to start"
},
{
"severity": "I",
"time": "2017-02-23T10:04:31Z",
"remote_ip": "1.1.1.1",
"uuid": "daa8090d",
"method": "GET",
"path": "/somepath.json",
"format": "json",
"controller": "app",
"action": "index",
"status": "200",
"duration": "30.47",
"view": "10.04"
},
{
"severity": "D",
"time": "2017-02-23T10:04:31Z",
"remote_ip": "1.1.1.1",
"uuid": "daa8090d",
"message": "SOLR Request (18.3ms) [path=/admin/luke parameters={numTerms: 0}]"
}
]
谢谢大家! 对于每一行,使用以下正则表达式:
(?:([^ =]+)=([^ =]+) ?)|(.+)
说明:
-“外部”,非捕获组((?:
)xxxx=yyyy
-第一个捕获组(([^=]+)
)xxxx
-等号(介于=
和xxxx
之间)yyyy
-第二个捕获组(([^=]+)
)yyy
-空格(可能出现)?
“外部”组结束)
-变量之间的分隔符|
-第二个变体-第三个捕获组,任何非空字符序列(.+)
|
之前),
捕获xxxx=yyyy
对
然后,如果第一个变量失败(在所有xxxx=yyyy
对之后),
尝试第二种变体,捕获消息(如果有)
我使用在线验证器(regex101.com)为每个输入行尝试了这个正则表达式
例如,最后一排
(severity=D time=2017-02-23T10:04:31Z remote_ip=1.1.1.1 uuid=daa8090d SOLR请求(18.3ms)[path=/admin/luke parameters={numTerms:0}
)
我得到了以下结果:
Match 1
Full match 0-11 `severity=D `
Group 1. 0-8 `severity`
Group 2. 9-10 `D`
Match 2
Full match 11-37 `time=2017-02-23T10:04:31Z `
Group 1. 11-15 `time`
Group 2. 16-36 `2017-02-23T10:04:31Z`
Match 3
Full match 37-55 `remote_ip=1.1.1.1 `
Group 1. 37-46 `remote_ip`
Group 2. 47-54 `1.1.1.1`
Match 4
Full match 55-69 `uuid=daa8090d `
Group 1. 55-59 `uuid`
Group 2. 60-68 `daa8090d`
Match 5
Full match 69-133 `SOLR Request (18.3ms) [path=/admin/luke parameters={numTerms: 0}`
Group 3. 69-133 `SOLR Request (18.3ms) [path=/admin/luke parameters={numTerms: 0}`
注意,在匹配1到4的情况下,找到了组1和组2
但在最后一场比赛中,第3组被发现
因此,在处理每个匹配时,您必须检查:
- 如果组1不为空,则组2也不为空
它们包含
和k
v
- 否则,组3保存消息的内容