I am trying to leave one of the pattern as blank when the corresponding tag is not found. But somehow, next match is getting substituted.
I have a logline as below
[2017-10-19 09:41:07,204: INFO/Worker-5] <test id = '123:4567', name = 'example_testcase'><TID:0b46030ee6f14055b41b796a4eebfef2><RID:01234567>POST some url to post
I tried this below grok pattern matching
^\[%{TIMESTAMP_ISO8601:timestamp}%{DATA}%{LOGLEVEL:log_level}/%{DATA:work_id}\]%{SPACE}(?:<%{DATA:message_headers}>)?(<TID:%{DATA:tid}>)?(<RID:%{BASE10NUM:rid}>)?%{GREEDYDATA:log_message}
This works good as along as message_headers is found, if it is not found, then message headers is getting substituted with TID. ex:
[2017-10-19 09:41:07,204: INFO/Worker-5] <TID:0b46030ee6f14055b41b796a4eebfef2><RID:01234567>POST some url to post
then the grok pattern, should leave message_headers as blank. instead TID is sitting in message_headers. Can anyone help how to achieve this functionality.
答案 0 :(得分:2)
我删除了可选表达式&#34;?&#34;在tid之后,它的工作原理。感谢