为什么预匹配有效,但在解码器测试器中找不到日志的解码器?
解码器设置:
<decoder name="wireguard">
<prematch>^timestamp.*\.$</prematch>
</decoder>
<decoder name="wireguard1">
<parent>wireguard</parent>
<regex>^timestamp=([\d\p]+ [\d\p]+), user=([\w\p]+), event=([A-Za-z\s]+)</regex>
<order>timestamp, user, event</order>
</decoder>
日志示例:
timestamp=2024-04-30 15:42:04.434565+02:00, user=test, event=logged in.
timestamp=2024-04-30 15:44:04.360658+02:00, user=test, event=logged out.
timestamp=2024-04-30 15:50:10.386081+02:00, user=wg0-test, event=logged in.
timestamp=2024-04-30 15:52:10.376882+02:00, user=wg0-test, event=logged out.
timestamp=2024-04-30 16:01:56.366630+02:00, user=wg0-test, event=logged in.
timestamp=2024-04-30 16:03:56.385659+02:00, user=wg0-test, event=logged out.
我想要一个正则表达式来匹配提供的日志
看起来最简单的答案是
timestamp=(.+), user=(.+), event=(.+)
您有一个完全逗号分隔的列表,因此您可以依靠它们将数据分为三个部分。
请在 regex101.com 上查看。