[Lognorm] Escape [ and ]
David Lang
david at lang.hm
Wed Jun 10 08:13:16 CEST 2015
On Wed, 10 Jun 2015, Фадеев Виталий Львович wrote:
>
> Hi!
> I want to log all from apache. I use custom log in apache that looks like:
>
> [2015-06-09 18:27:07 197 NOVT] [192.168.1.67] [192.168.1.67] [192.168.1.254] [818] [/var/www/host/css/button.css] [192.168.1.67] [HTTP/1.1] [1] [-] [GET] [5064] [?v=0] [GET /css/button.css?v=0 HTTP/1.1] [-] [200] [200] [0] [/css/button.css] [hostname.domain] [hostname.domain] [+] [1540] [1138] [" http://hostname.domain/index.html "] ["Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"]
>
> For example, i create test.log that contains:
> [2015-06-09 16:47:34 830 NOVT]
>
> and test.rb:
> rule=:[%date:date-iso% %time:time-24hr% %microsec:number% %timezone:char-to:]%
>
> If i try i get:
> $ lognormalizer -r test.rb -e json < test.log
> { "originalmsg": "[2015-06-09 16:47:34 830 NOVT]", "unparsed-data": "]" }
>
> How to parse data between [ and ] ?
you almost have it correct. The only thing that you are missing is that char-to
doesn't 'consume' the matching character, so your rule would need to be:
rule=:[%date:date-iso% %time:time-24hr% %microsec:number% %timezone:char-to:]%]
David Lang
-------------- next part --------------
_______________________________________________
Lognorm mailing list
Lognorm at lists.adiscon.com
http://lists.adiscon.net/mailman/listinfo/lognorm
More information about the Lognorm
mailing list