logstash-grok

问题 I have these logs: "03.08.2020 10:56:38","Event LClick","Type Menu","t=0","beg" "03.08.2020 10:56:38","Event LClick","Type Menu","Detail SomeDetail","t=109","end" "03.08.2020 10:56:40","Event LClick","t=1981","beg" "03.08.2020 10:56:40","Event LClick","t=2090","end" "03.08.2020 10:56:41","Event LClick","Type ToolBar","t=3026","beg" "03.08.2020 10:56:43","Event LClick","Type ToolBar","Detail User_Desktop","t=4477","end" "03.08.2020 10:56:44","Event FormActivate","Name Form_Name:IsaA","t=5444"

问题 I am attempting to write a grok expression that will result in multiple matches. I'm parsing a line that has 5 repetitions of the same pattern. I've been able to make a simple pattern with a regex that will return multiple matches but it seems that Grok doesn't work that way. I don't really understand Ruby so I haven't really inspected the code. Example input: 222444555 Pattern: (?<number>\d{3})* I would have expected output like this: "number" : [ [ "222", "444", "555" ] ] or something like

问题 I am attempting to write a grok expression that will result in multiple matches. I'm parsing a line that has 5 repetitions of the same pattern. I've been able to make a simple pattern with a regex that will return multiple matches but it seems that Grok doesn't work that way. I don't really understand Ruby so I haven't really inspected the code. Example input: 222444555 Pattern: (?<number>\d{3})* I would have expected output like this: "number" : [ [ "222", "444", "555" ] ] or something like

问题 I am attempting to write a grok expression that will result in multiple matches. I'm parsing a line that has 5 repetitions of the same pattern. I've been able to make a simple pattern with a regex that will return multiple matches but it seems that Grok doesn't work that way. I don't really understand Ruby so I haven't really inspected the code. Example input: 222444555 Pattern: (?<number>\d{3})* I would have expected output like this: "number" : [ [ "222", "444", "555" ] ] or something like

来源： https://stackoverflow.com/questions/59892953/logstash-parsing-data-from-two-different-filebeat-inputs

来源： https://stackoverflow.com/questions/59892953/logstash-parsing-data-from-two-different-filebeat-inputs

问题 I am struggling with data manipulation in logstash version 5.1, where some of the data come from open text fields with HTML markups. Most of the time it comes with only one marker, like this: <.p> XYZ <./p> and I am dealing with it using Grok. but when it comes like this: <.p><.b><.strong> XYZ <./strong><./b><./p> simple grok cant filter it out. My question is if there is a built-in filter for HTML markup or do i have to develop my own using regular expressions? Or do you know if in versions

问题 This may be a simple question, but in my logs the spaces between different fields are uncertain, that mean in some logs I can see two spaces and in some three between the same fields. How do we accommodate this in GROK? 回答1: Grok is at it's heart an overlay on Regex's. So in your grok pattern, you can directly use Regex syntax: %{WORD} +%{WORD} So "space+" means one or more spaces. "space*" means 0 or more spaces. Grok also has a pattern %{SPACE} that is equivilent to " *" 回答2: You can use %

问题 This may be a simple question, but in my logs the spaces between different fields are uncertain, that mean in some logs I can see two spaces and in some three between the same fields. How do we accommodate this in GROK? 回答1: Grok is at it's heart an overlay on Regex's. So in your grok pattern, you can directly use Regex syntax: %{WORD} +%{WORD} So "space+" means one or more spaces. "space*" means 0 or more spaces. Grok also has a pattern %{SPACE} that is equivilent to " *" 回答2: You can use %

问题 I have the following Grok patterns defined in a pattern file HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b) EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+ EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME} For some reason this doesn't compile when run against http://grokdebug.herokuapp.com/ with the following input, it simply returns "Compile error" Node1\Spam.log.2016-05-03 171 1540699703 03/May/2016 00:00:01 +0000 INFO [http-bio-0.0.0.0-8001-exec-20429]