promtail 配置的正则表达式

发布于 2025-01-12 03:39:08 字数 1822 浏览 4 评论 0原文

我一直在努力让正则表达式字符串正常工作。 Promtail 使用它来解析我的日志中的标签。我遇到的问题是它不能与积极的前瞻一起工作（因为我认为 promtail 是用 go 编写的？）

无论如何，日志都是网络日志，这里有几个例子：

INFO:     172.0.0.1:0 - "POST /endpoint1/UNIQUE-ID?key=unique_value HTTP/1.1" 200 OK
INFO:     172.0.0.2:0 - "GET /endpoint/health HTTP/1.1" 200 OK
172.0.0.1:0 - - [04/Mar/2022:10:52:10 -0500] "GET /endpoint2/optimize HTTP/1.1" 200 271
INFO:     172.0.0.3:0 :0 - "GET /endpoint3?key=unique_value HTTP/1.1" 200 OK

另一件事值得一提的是 UNIQUE- ID 将是 VIN ID（车辆识别号）

我要创建的组是： ip request endpoint 状态。但是，由于端点 1 中的所有 UNIQUE_ID 以及端点 1 和端点 3 中的 unique_values，使用完整端点路径会导致 loki 中的流过多，并基本上杀死它。

我的解决方案正则表达式如下所示：

(?P<ip>((?:[0-9]{1,3}\.){3}[0-9]{1,3})).+(?P<request>(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)).(?P<endpoint>(.+endpoint1\/health)|(.+endpoint1)|(.+)(\?)|(.+) ).+\".(?P<status>([0-9]{3}))

它捕获以下组：

ip: `172.0.0.1`, `172.0.0.2`, `172.0.0.1` `172.0.0.3`
request: `POST`, `GET`, `GET`, `GET`
endpoint: `/endpoint1`, `/endpoint1/health`, `/endpoint2/optimize `, `/endpoint3?`
status: `200`,`200`,`200`,`200`

问题是 /endpoint2/optimize 和 /endpoint3? 的端点。端点 2 末尾有一个尾随空格，端点 3 包含 ?。我能够使用正向前瞻和以下正则表达式来实现此功能，但它会在 Promtail 中引发错误。

(?P<ip>((?:[0-9]{1,3}\.){3}[0-9]{1,3})).+(?P<request>(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)).(?P<endpoint>(.+endpoint1\/health)|(.+endpoint1)|(.+)(?=\?)|(.+)(?= )).+\".(?P<status>([0-9]{3}))

任何帮助将不胜感激！我远没有假装我了解正则表达式...

编辑：这是一个示例 https:/ /regex101.com/r/FXvnqR/1

原文

I've been struggling to get a regex string working. It's being used for Promtail to parse labels from my logs. The problem I'm having is it's not working with positive lookahead (because I think promtail is written in go?)

Anyway the logs are web logs and here are a few examples:

INFO:     172.0.0.1:0 - "POST /endpoint1/UNIQUE-ID?key=unique_value HTTP/1.1" 200 OK
INFO:     172.0.0.2:0 - "GET /endpoint/health HTTP/1.1" 200 OK
172.0.0.1:0 - - [04/Mar/2022:10:52:10 -0500] "GET /endpoint2/optimize HTTP/1.1" 200 271
INFO:     172.0.0.3:0 :0 - "GET /endpoint3?key=unique_value HTTP/1.1" 200 OK

Another thing worth pinting out is that the UNIQUE-ID is going to be a VIN ID (vehicle identification number)

The groups I'm looking to create are: ip request endpoint status. However, because of all the UNIQUE_ID in endpoint1 and the unique_values in endpoint1 and endpoint3, using the full endpoint path causes too many streams in loki and essentially kills it.

My solution regex looks like this:

(?P<ip>((?:[0-9]{1,3}\.){3}[0-9]{1,3})).+(?P<request>(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)).(?P<endpoint>(.+endpoint1\/health)|(.+endpoint1)|(.+)(\?)|(.+) ).+\".(?P<status>([0-9]{3}))

And it captures the following groups:

ip: `172.0.0.1`, `172.0.0.2`, `172.0.0.1` `172.0.0.3`
request: `POST`, `GET`, `GET`, `GET`
endpoint: `/endpoint1`, `/endpoint1/health`, `/endpoint2/optimize `, `/endpoint3?`
status: `200`,`200`,`200`,`200`

The problem is the endpoints for /endpoint2/optimize and /endpoint3?. endpoint2 has a trailing space at the end and endpoint3 includes the ?. I was able to get this working using positive lookahead with the following regex, but it throws an error in Promtail.

(?P<ip>((?:[0-9]{1,3}\.){3}[0-9]{1,3})).+(?P<request>(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)).(?P<endpoint>(.+endpoint1\/health)|(.+endpoint1)|(.+)(?=\?)|(.+)(?= )).+\".(?P<status>([0-9]{3}))

Any help would be greatly appreciated! I am far from pretending like I know my way around regex...

EDIT: Here is an example https://regex101.com/r/FXvnqR/1

分享到QQ

分享到微博