Skip to content

Instantly share code, notes, and snippets.

@ziwon

ziwon/grokDir.rb

Last active December 16, 2015 10:19
Show Gist options
  • Save ziwon/5418846 to your computer and use it in GitHub Desktop.
Save ziwon/5418846 to your computer and use it in GitHub Desktop.
Download ZIP
Running Grok pattern on log files in some directory
Raw
grokDir.rb
#!/usr/bin/env ruby
###############################################
#
# grokDir.rb
#
# Version 0.1
#
# > ruby grokDir.rb -d "c:/Logs/**/*.log" -p "%{DATESTAMP:timestamp}"
#
###############################################
require "rubygems"
require "grok-pure"
require "pp"
require "optparse"
# default banner
banner = "Usage: #{$0} [-d DIR] [-p PATTERN]"
# IIS pattern
pattern = "%{DATESTAMP:eventtime} %{WORD:site} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:request} (?:%{DATA:param}|-) %{NUMBER:port} (?:%{USER:username}|(%{WORD:domain}\\%{USER:username})|-) %{IPORHOST:clientip}(?: %{DATA:agent}|-) %{NUMBER:response} %{NUMBER:status} %{NUMBER:win32Status}"
options = {}
opts = ARGV.options do |opts|
opts.banner = banner
opts.on("-d", "--directory DIR", "Logfile directory") do |d|
options[:dir] = d
end
opts.on("-p", "--pattern PATTERN", "Grok pattern") do |p|
options[:pattern] = p
end
end
begin
if ARGV.empty?
puts opts
exit
end
opts.parse!(ARGV)
rescue Exception => e
puts e, "", opts
exit
end
grok = Grok.new
grok.add_patterns_from_file("./patterns/grok-patterns")
grok.compile(options[:pattern] ? options[:pattern] : pattern)
Dir.glob(options[:dir]) do |path|
next if path == '.' or path == '..'
File.open(path).each_line do |line|
match = grok.match(line)
if match
puts "Resulting capture:"
pp match.captures
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment