logstash + grok 正则语法

详细正则规则参考:

正则语法规则

例:

日志格式如下

[vclound][2015-11-03 03:35:50,283][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.80]
[vclound][2015-11-03 03:35:50,381][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=["POST /v2.0/tokens HTTP/1.1" 200 3080]
[vclound][2015-11-03 03:35:50,384][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.160]
[vclound][2015-11-03 03:35:50,454][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=["GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1" 404 73]

logstash 正则规则参考   (下面代码, 编辑器无法显示,  请点击 view plain 进行阅读)

filter {
  if [type] == "pinyun" {
    grok {
      match => { "message" => "\[%{USERNAME:username}\]\[%{TIMESTAMP_ISO8601:time}\]\[%{LOGLEVEL:loglevel}\]\[%{PROG:filepath}\]\[%{PROG:function}\]\[-\]\[%{BASE16NUM:progid}\]\=\[%{GREEDYDATA:info}\]" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
  }
}

注意:  当日志输出有空格,  那么匹配时候就带空格,  如果是特殊字符, 那么就直接匹配该特殊字符

输出效果如下:

{
          "message" => "[vclound][2015-11-03 03:35:50,283][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.80]",
         "@version" => "1",
       "@timestamp" => "2015-11-03T02:01:30.051Z",
             "type" => "pinyun",
             "file" => "/apps/logs/uwsgi/uwsgi.log",
             "host" => "terry-zskvt.vclound.com",
           "offset" => "58995",
         "username" => "vclound",
             "time" => "2015-11-03 03:35:50,283",
         "loglevel" => "INFO",
         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203",
         "function" => "_new_conn",
           "progid" => "140192616544000",
             "info" => "Starting new HTTP connection (1): 240.10.129.80",
      "received_at" => "2015-11-03T02:01:30.051Z",
    "received_from" => "terry-zskvt.vclound.com"
}
{
          "message" => "[vclound][2015-11-03 03:35:50,381][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=[\"POST /v2.0/tokens HTTP/1.1\" 200 3080]",
         "@version" => "1",
       "@timestamp" => "2015-11-03T02:01:30.060Z",
             "type" => "pinyun",
             "file" => "/apps/logs/uwsgi/uwsgi.log",
             "host" => "terry-zskvt.vclound.com",
           "offset" => "59181",
         "username" => "vclound",
             "time" => "2015-11-03 03:35:50,381",
         "loglevel" => "DEBUG",
         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295",
         "function" => "_make_request",
           "progid" => "140192616544000",
             "info" => "\"POST /v2.0/tokens HTTP/1.1\" 200 3080",
      "received_at" => "2015-11-03T02:01:30.060Z",
    "received_from" => "terry-zskvt.vclound.com"
}
{
          "message" => "[vclound][2015-11-03 03:35:50,384][INFO][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203][_new_conn][-][140192616544000]=[Starting new HTTP connection (1): 240.10.129.160]",
         "@version" => "1",
       "@timestamp" => "2015-11-03T02:01:30.068Z",
             "type" => "pinyun",
             "file" => "/apps/logs/uwsgi/uwsgi.log",
             "host" => "terry-zskvt.vclound.com",
           "offset" => "59362",
         "username" => "vclound",
             "time" => "2015-11-03 03:35:50,384",
         "loglevel" => "INFO",
         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:203",
         "function" => "_new_conn",
           "progid" => "140192616544000",
             "info" => "Starting new HTTP connection (1): 240.10.129.160",
      "received_at" => "2015-11-03T02:01:30.068Z",
    "received_from" => "terry-zskvt.vclound.com"
}
{
          "message" => "[vclound][2015-11-03 03:35:50,454][DEBUG][/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295][_make_request][-][140192616544000]=[\"GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1\" 404 73]",
         "@version" => "1",
       "@timestamp" => "2015-11-03T02:01:30.074Z",
             "type" => "pinyun",
             "file" => "/apps/logs/uwsgi/uwsgi.log",
             "host" => "terry-zskvt.vclound.com",
           "offset" => "59549",
         "username" => "vclound",
             "time" => "2015-11-03 03:35:50,454",
         "loglevel" => "DEBUG",
         "filepath" => "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py:295",
         "function" => "_make_request",
           "progid" => "140192616544000",
             "info" => "\"GET /v2/bb0b51d166254dc99bc7462c0ac002ff/servers/b4b530e7-cd9b-42c1-bcd4-a48140726846 HTTP/1.1\" 404 73",
      "received_at" => "2015-11-03T02:01:30.074Z",
    "received_from" => "terry-zskvt.vclound.com"
}







时间: 2024-12-15 02:51:41

logstash + grok 正则语法的相关文章

Logstash grok配置

logstash 配置 input { file { path => "/logs/*.log" #日志路径 codec => multiline { pattern => "^%{TIMESTAMP_ISO8601}" negate => true what => "previous" } } } filter { if [path] =~ "access" { mutate { replace

JS正则表达式一条龙讲解(从原理和语法到JS正则)

正则啊,就像一座灯塔,当你在字符串的海洋不知所措的时候,总能给你一点思路:正则啊,就像一台验钞机,在你不知道用户提交的钞票真假的时候,总能帮你一眼识别:正则啊,就像一个手电筒,在你需要找什么玩意的时候,总能帮你get你要的东西... -- 节选自 Stinson 同学的语文排比句练习<正则> 欣赏了一段文学节选后,我们正式来梳理一遍JS中的正则,本文的首要目的是,防止我经常忘记正则的一些用法,故梳理和写下来加强熟练度和用作参考,次要目的是与君共勉,如有纰漏,请不吝赐教,良辰谢过. 本文既然取题

ELK logstash 处理MySQL慢查询日志的示例

在生产环境下,logstash 经常会遇到处理多种格式的日志,不同的日志格式,解析方法不同.下面来说说logstash处理多行日志的例子,对MySQL慢查询日志进行分析,这个经常遇到过,网络上疑问也很多. MySQL慢查询日志格式如下: # User@Host: ttlsa[ttlsa] @  [10.4.10.12]  Id: 69641319 # Query_time: 0.000148  Lock_time: 0.000023 Rows_sent: 0  Rows_examined: 20

史上最全正则

一个正则表达式测试(只可输入中文.字母和数字)       在项目中碰到了正则表达式的运用,正则还是非常强大的,不管什么编程语言,基本上都可以用到.之前在用java时特别是对用户名或密码使用正则非常爽,写脚本上用正则也非常爽,可是到了OC这却把我虐了一把,可能是对OC掌握的不够.这里就罗列了从网上找的很有用的资料,感谢大神们的贡献. 首先举一个例子: 匹配9-15个由字母/数字组成的字符串的正则表达式: NSString * regex = @"^[A-Za-z0-9]{9,15}$"

正则-如何用Java爬取网页的copyright?

问题描述 如何用Java爬取网页的copyright? 谢谢了!新人不知道要怎么爬,这是老师论文中的内容,论文中写用了11种正则来抓取 请求大家支援QAQ 解决方案 jsoup import org.jsoup.Jsoup; import org.jsoup.nodes.Document; import org.jsoup.select.Elements; public static void main(String[] args) throws IOException { Document d

详解js正则表达式语法介绍

本文介绍了js正则表达式,具体如下: 1. 正则表达式规则 1.1 普通字符 字母.数字.汉字.下划线.以及后边章节中没有特殊定义的标点符号,都是"普通字符".表达式中的普通字符,在匹配一个字符串的时候,匹配与之相同的一个字符. 举例1:表达式 "c",在匹配字符串 "abcde" 时,匹配结果是:成功:匹配到的内容是:"c":匹配到的位置是:开始于2,结束于3.(注:下标从0开始还是从1开始,因当前编程语言的不同而可能不同)

学习正则!超基础简单例子_正则表达式

问题是这样的,某个情况下要给:http://jb51.net?a=1 这类url地址追加参数变为:http://jb51.net?a=1&b=2 但是怎么知道已经存在相同参数名呢,例如有这种情况:http://jb51.net?a=1&a=2 这个虽然不会有什么大错误,但是地址栏这样看起来很不好.那怎么办呢?用正则解决吧(本来我想用php的字符串处理解决的,但是后来觉得要学一下正则了就用正则做吧) 以下是我用于返回上一页的后台处理方法 复制代码 代码如下: function _goBack

巧解 JavaScript 中的嵌套替换(强大正则)_正则表达式

网友wys提问:如何仅使用JavaScript支持的正则语法,将 复制代码 代码如下: <p> <table> <p> <p> </table> <table> <p> <p> </table> <p> 中<table>...</table>之间的<p>都替换为<br/>? 思考 该问题的难点之一在于JavaScript支持的正则特性实在有

正则基础之 \b 单词边界_正则表达式

1概述 "\b"匹配单词边界,不匹配任何字符. "\b"匹配的只是一个位置,这个位置的一侧是构成单词的字符,另一侧为非单词字符.字符串的开始或结束位置."\b"是零宽度的. 基本上所有的资料里都会说"\b"是单词边界,但是关于"单词"的范围却是少有提及.通常情况下,正则表达式中所谓的"单词",就是由"\w"所定义的字符所组成的子串. "\b"表示所