-2

Feeling difficulty in writing grok patterns.Please help

I have GetIndicatorsByAnalysisProcessIDServlet service method is called and in this how to extract only GetIndicatorsByAnalysisProcess and text GetIndicatorsByAnalysisProcess will not be same

Here challenging i felt is truncating string from backward direction

i followed up 

grok {
  match => ["destinationid", "(?<fieldname>discard.{7})"]
}

it high-lets considering number of characters from start

4

1 回答 1

1

如果我理解正确,您需要在变量中包含第一个单词。这可以通过

(?<fieldname>[^\s]*)\s*

从中输出样本

{
  "fieldname": [
    [
      "GetIndicatorsByAnalysisProcessIDServlet"
    ]
  ]
}

如果您有各种开头的可选空格但句子的结尾完全相同,则有效的正则表达式会有所不同。

于 2017-02-28T16:49:53.857 回答