各服务日志: Grok正则解析

各类日志样例

服务类型	日志格式
Java应用：如Kafka/ES	[2025-04-29 11:21:12,395] INFO [Log partition=ck-1, dir=/opt/kafka_2.13-2.8.1/data] Incremented log start offset to 3591510004 due to segment deletion (kafka.log.Log)
Tomcat	27-Apr-2025 14:25:14.905 信息 [main] org.apache.catalina.startup.Catalina.start Server startup in 524 ms
Nginx	127.0.0.1 - - [29/Apr/2025:11:32:12 +0800] “POST /ds HTTP/1.1” 200 1597 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool” “-” “34.265” “192.168.56.11:1012” “34.264”
Clickhouse	2025.04.29 10:25:59.037034 [ 738653 ] {} gauge.process_metric (ReplicatedMergeTreePartCheckThread): Checking if anyone has a part 20250429_14527_14527_0 or covering part.
Redis	2082700:C 29 Apr 2025 11:31:52.184 * DB saved on disk
Linux日志	Apr 29 16:01:37 app03 systemd[1]: Started Session c586513 of user monitor.

正则解析表达式

• 表达式在线调试：https://grokdebugger.com/

-- 日志时间
(?<logTime>(%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY})\s*\S?%{TIME}\w?)     --【ES】【Kafka】【Clickhouse】
(?<logTime>(%{MONTHDAY}\s*%{MONTH}\s*%{YEAR}\s*%{TIME}))                  --【Redis】
(?<logTime>(%{MONTHDAY}[./-]%{MONTH}[./-]%{YEAR})\s*\S?\s*%{TIME}(\s*\+\d+)?) --【Nginx】【Tomcat】
(?<logTime>(%{MONTH}\s*%{MONTHDAY}\s*%{TIME}))                           --【Linux】
(?<logTime>(%{MONTHNUM}[./-]%{MONTHDAY}[./-]%{YEAR})\s*\S?\s*%{TIME} (AM|PM)?)

-- 日志级别
 (?<loglevel>%{LOGLEVEL}) 
 \[?(?<loglevel>%{LOGLEVEL})\]? 
 (?<loglevel>(信息|警告|错误))