我试图从日志行中提取一个文件,我使用http://grokdebug.herokuapp.com/来调试我的正则表达式:
(?<action>(?<=action=).*(?=\&))输入文字如下:
/event?id=123&action={"power":"on"}&package=1我能够得到像这样的结果:
{ "action": [ "{"power":"on"}" ] }但是当我将此配置复制到我的logstash配置文件时:
input { stdin{} } filter { grok { match => { "message" => "(?<action>(?<=action=).*(?=\&))"} } } output { stdout { codec => 'json' }}输出表示匹配失败:
{"message":" /event?id=123&action={\"power\":\"on\"}&package=1","@version":"1","@timestamp":"2016-01-05T10:30:04.714Z","host":"xxx","tags":["_grokparsefailure"]}我在cygwin中使用logstash-2.1.1。 任何想法为什么会发生?
I'm trying to extract a filed out of log line, i use http://grokdebug.herokuapp.com/ to debug my regular expression with:
(?<action>(?<=action=).*(?=\&))with input text like this:
/event?id=123&action={"power":"on"}&package=1i was able to get result like this:
{ "action": [ "{"power":"on"}" ] }but when i copy this config to my logstash config file:
input { stdin{} } filter { grok { match => { "message" => "(?<action>(?<=action=).*(?=\&))"} } } output { stdout { codec => 'json' }}the output says matching failed:
{"message":" /event?id=123&action={\"power\":\"on\"}&package=1","@version":"1","@timestamp":"2016-01-05T10:30:04.714Z","host":"xxx","tags":["_grokparsefailure"]}i'm using logstash-2.1.1 in cygwin. any idea why this happen?
最满意答案
您可能会遇到由贪婪的点匹配子模式引起的问题.* 。 由于你只对action=后的一串文本感兴趣,直到字符串的下一个或最后,最好使用否定字符类[^&] 。
所以,使用
[?&]action=(?<action>[^&]*)[?&]匹配一个? 或&和作为边界在这里工作。
You might experience an issue caused by a greedy dot matching subpattern .*. Since you are only interested in a string of text after action= till next & or end of string you'd better use a negated character class [^&].
So, use
[?&]action=(?<action>[^&]*)The [?&] matches either a ? or & and works as a boundary here.
更多推荐
发布评论