我试图在http://grokdebug.herokuapp.com/
的grok调试器中设置一个模式输入:[Sat Aug 01 21:54:54.048805 2015] [:error] [pid 4384:tid 140066215139072] [client 192.168.1.1:62028] PHP Notice: Undefined index: foo in /home/koan/websightdesigns/websightdesigns.com/ierr.php on line 3
模式:
[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})]s[:%{LOGLEVEL:loglevel}]
到目前为止我所做的工作,它输出:
{
"timestamp": [
[
"Sat Aug 01 21:54:54.048805 2015"
]
],
"day": [
[
"Sat"
]
],
"month": [
[
"Aug"
]
],
"MONTHDAY": [
[
"01"
]
],
"TIME": [
[
"21:54:54.048805"
]
],
"HOUR": [
[
"21"
]
],
"MINUTE": [
[
"54"
]
],
"SECOND": [
[
"54.048805"
]
],
"YEAR": [
[
"2015"
]
],
"loglevel": [
[
"error"
]
]
}
到目前为止,一切顺利。然而,我遇到的问题是,如果我试图添加到我的模式以获得下一节,[pid 4384:tid 140066215139072]节,无论我尝试,我都会得到编译错误。
我试过:
[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})]s[:%{LOGLEVEL:loglevel}]s[%{PID:pid}]
:
[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})]s[:%{LOGLEVEL:loglevel}]s[%{PID:pid}:%{TID:tid}]
以及其他模式,但似乎没有工作。有人知道我把[pid 4384:tid 140066215139072]变成变量时可能做错了什么吗?
在此工作了一些之后,下面的模式现在为我工作:
[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})] [.*:%{LOGLEVEL:loglevel}] [pid %{NUMBER:pid}:tid %{NUMBER:tid}] [client %{IP:clientip}:.*] %{GREEDYDATA:errormsg}