问题
This may be a simple question, but in my logs the spaces between different fields are uncertain, that mean in some logs I can see two spaces and in some three between the same fields. How do we accommodate this in GROK?
回答1:
Grok is at it's heart an overlay on Regex's. So in your grok pattern, you can directly use Regex syntax:
%{WORD} +%{WORD}
So "space+" means one or more spaces. "space*" means 0 or more spaces.
Grok also has a pattern %{SPACE} that is equivilent to " *"
回答2:
You can use %{SPACE}* in your grok pattern for matching uncertian number of spaces. It will match even if spaces are present or not.
来源:https://stackoverflow.com/questions/45487024/accommodate-uncertain-number-of-spaces-in-a-log-file-grok-pattern