以下是我的应用程序日志条目:
2015-06-24 14:03:16.7288 Sent request message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74] <Request>sometext</Request>
2015-06-24 14:38:05.2460 Received response message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74] <Response>sometext</Response>
我正在使用Logstash的Grok过滤器来提取XML内容和方括号中的客户端令牌。
grok {
match => ["message", "(?<content>(<Request(.)*?</Request>))"]
match => ["message", "(?<clienttoken>(Sent request message \[(.)*?\]))"]
add_tag => "Request"
break_on_match => false
tag_on_failure => [ ]
}
grok {
match => ["message", "(?<content>(<Response(.)*?</Response>))"]
match => ["message", "(?<clienttoken>(Received response message \[(.)*?\]))"]
add_tag => "Response"
break_on_match => false
tag_on_failure => [ ]
}
现在的结果如下所示:
对于第一行日志:
Content = <Request>sometext</Request>
clienttoken = Sent request message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74]
对于第二条日志记录:
Content = <Response>sometext</Response>
clienttoken = Received response message [649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74]
但我希望结果是这样的:
Content = <Request>sometext</Request>
clienttoken = 649b85fa-bfa0-4cb4-8c38-1aeacd1cbf74
请告诉我如何仅提取方括号内的字符串,而不包括匹配模式中的所有匹配字符串。
"(?<clienttoken>(Received response message \[(.*?)\]))"
- Avinash Raj