Field extracting regular expression is used:
extract information in the log format: (<field name> matching regular expression specific information?)
Sample log:
<78> 2019-08-21T17: 10: 01.461970 + 08: 00 crond localhost: (the root) the CMD (/ usr / the lib64 / SA / SA1. 1. 1)
正则表达式
\<(?<prl>\d+)\>\s+(?<timestamp>\S+)\s+(?<hostname>\S+)\s+(?<type>\S+)\s+(?<message>.*)
78 extracts time information localhost CROND. The combined information back to
the default for the delimiter is a space
Extract 78: \ <(? <Ptl > \ d +) \> \ d:. Figures. +: Represents a front portion of repeated or multiple
matches space \ s + multiple spaces matching, \ s any white space characters, spaces, tabs, page breaks, etc.
extraction time: (? <\ S +> ) \ S and \ s opposite
extract hostname: (? <hostname> \ w +) \ w underscore and task word digital \ W and \ w contrast
extract type: (? <type> \ S +)
merge last message together: (<the message>?. ). : incorporated into the end of line
Split results:
hostname:"localhost"
message:"(root) CMD (/usr/lib64/sa/sa1 1 1)"
prl:"78"
timestamp:"2019-08-21T17:10:01.461970+08:00"
type:"CROND:"
raw_message:"<78> 2019-08-21T17:10:01.461970+08:00 localhost CROND: (root) CMD (/usr/lib64/sa/sa1 1 1)"