示例日志文件如下
2018-07-02 09:35:57 991 [INFO] from application in pool-2-thread-9 - Authenticate document processing time for transactionId : 1271400374895007_node1 documentType : Passport is 1629 msec
我写了 grok 过滤器来提取一些字段,如交易、文档类型、持续时间
%{TIMESTAMP_ISO8601:timestamp} ([%{WORD:loglevel}]) (?<logger>(?:[a-zA-Z0-9-]+.)*[A-Za-z0-9$]+)s+(-s+)? %{GREEDYDATA} .*transactionId : %{WORD:transactionid} documentType : %{WORD:document type} is (?<duration>.*msec
有人可以建议如何在两个特定单词"-"(消息之间("处理时间"之间提取数据吗?
您可以创建自定义模式来匹配-和processing time之间的所有内容,
(?<pool_thread>w+[-]d+[-]w+[-]d+s*?)-(?<custom_word>.*?)(processing time)
这将输出,
{
"pool_thread": [
[
"pool-2-thread-9 "
]
],
"custom_word": [
[
" Authenticate document "
]
]
}