- clean up the MONTHDAY pattern

- use logging in grok - add some todos
2025-04-23 22:27:21 -04:00 · 2011-10-18 00:15:06 -07:00 · 2011-10-18 00:15:06 -07:00 · eb5fe56129
commit eb5fe56129
parent f2460ad186
2 changed files with 12 additions and 1 deletions
--- a/lib/logstash/filters/grok.rb
+++ b/lib/logstash/filters/grok.rb
@ -79,6 +79,14 @@ class LogStash::Filters::Grok < LogStash::Filters::Base
  # If true, only store named captures from grok.
  config :named_captures_only, :validate => :boolean, :default => false

+  # TODO(sissel): Add this feature?
+  # When disabled, any pattern that matches the entire string will not be set.
+  # This is useful if you have named patterns like COMBINEDAPACHELOG that will
+  # match entire events and you really don't want to add a field
+  # 'COMBINEDAPACHELOG' that is set to the whole event line.
+  #config :capture_full_match_patterns, :validate => :boolean, :default => false
+
+
  # Detect if we are running from a jarfile, pick the right path.
  @@patterns_path ||= Set.new
  if __FILE__ =~ /file:\/.*\.jar!.*/
@ -141,6 +149,8 @@ class LogStash::Filters::Grok < LogStash::Filters::Base

      if !@patterns.include?(field)
        @patterns[field] = Grok::Pile.new
+        @patterns[field].logger = @logger
+
        add_patterns_from_files(@patternfiles, @patterns[field])
      end
      @logger.info("Grok compile", :field => field, :patterns => patterns)
@ -201,6 +211,7 @@ class LogStash::Filters::Grok < LogStash::Filters::Base
              value = value.to_f
          end

+          # Special casing to skip captures that represent the entire log message.
          if fieldvalue == value and field == "@message"
            # Skip patterns that match the entire message
            @logger.debug("Skipping capture since it matches the whole line.", :field => key)
--- a/patterns/grok-patterns
+++ b/patterns/grok-patterns
@ -45,7 +45,7 @@ URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
 # Months: January, Feb, 3, 03, 12, December
 MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b
 MONTHNUM (?:0?[1-9]|1[0-2])
-MONTHDAY (?:0?[1-9]|[12][0-9]|3[01])
+MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])

 # Days: Monday, Tue, Thu, etc...
 DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)