pub fn parse_grok_rules(
patterns: &[String],
aliases: BTreeMap<KeyString, String>,
) -> Result<Vec<GrokRule>, Error>Expand description
Parses DD grok rules.
Here is an example: patterns: %{access.common} [%{_date_access}] “(?>%{_method} |)%{_url}(?> %{_version}|)” %{_status_code} (?>%{_bytes_written}|-) %{access.common} (%{number:duration:scale(1000000000)} )?“%{_referer}” “%{_user_agent}”( “%{_x_forwarded_for}”)?.*“# aliases: “access.common” : %{_client_ip} %{_ident} %{_auth}
You can write grok patterns with the %{MATCHER:EXTRACT:FILTER} syntax:
- Matcher: A rule (possibly a reference to another token rule) that describes what to expect (number, word, notSpace, etc.)
- Extract (optional): An identifier representing the capture destination for the piece of text matched by the Matcher.
- Filter (optional): A post-processor of the match to transform it.
Rules can reference aliases as %{alias_name}, aliases can reference each other themselves, cross-references or circular dependencies are not allowed and result in an error. Only one can match any given log. The first one that matches, from top to bottom, is the one that does the parsing. For further documentation and the full list of available matcher and filters check out https://docs.datadoghq.com/logs/processing/parsing