Logstash wildcard

Elastic Stack Logstash
1

Logstash recieves many .log files such as mongod.log and mysqld.log. I deal with it in logstash by having an if statement for each file such as:

if [log][file][path] =~ "mysqld.log"

I've been asked to also ship data from some old servers where on top of mysqld.log, there's also mysqld-port3308.log. The port number varies and can be anything.

Because the content of these files are formatted the same, I'm trying to have logstash simply include anything that starts with mysql and ends with .log. Basically mysql*.log

I noticed it doesn't accept astriks, is there an alternative for this? Huge thanks ahead!

2

The regular expression for that is /mysql.*\.log$/.

  • mysql matches the characters mysql literally (case sensitive)
  • .* matches any character (except for line terminators)
    • * Quantifier — Matches between zero and unlimited times, as many times as possible, giving back as needed (greedy)
  • \. matches the character . literally (case sensitive)
  • log matches the characters log literally (case sensitive)
  • $ asserts position at the end of a line

(See https://regex101.com/ for regex explanations)

(Edit: You might want to use /mysql[^\/]*?\.log$/, so it doesn't match paths like mysqldfh/dsjf.log)

1 Like
3

Thank you SO MUCH for the response!

If I may, I only didn't understand the $ part. May I ask what asserts position at the end of a line - means?

Thanks ahead.

EDIT: btw, am I supposed to change somehting in the regex101 website? I want to learn to use it and when I paste the command it says there's an error https://i.imgur.com/cJuErCm.png

4

The regex101 web site supplies the leading and trailing / that surround the regular expression, so you would just enter

mysql.*\.log$

The $ anchors the expression to the end of line, so there cannot be any characters after .log

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.