我正在使用logstash将一些日志发送到elasticsearch。我无法弄清楚 [Mon Jan 04 08:36:12 2021] 的 grok 模式。格式为Day Month Date Time Year非常欢迎帮助和建议。
日志 - [Mon Jan 04 08:36:12 2021]
Grok 我试过了 -\[%{DAY:day} %{MONTH:month} %{TIME:time} %{YEAR:year}]
预期结果 -Day:Mon Month:Jan Date:04 Hour:08 Minute:36 Second:12 Year:2021
您忘记指定%{MONTHDAY}月份和时间变量之间的值。
您可以使用
\[%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME:time} %{YEAR:year}]
使用的Grok 模式列表:
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)MONTH \b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y|i)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\bMONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
HOUR (?:2[0123]|[01]?[0-9])MINUTE (?:[0-5][0-9])SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)YEAR (?>\d\d){1,2}