(?#...) 否 注释,抛弃
(?:...) 是 只集群,不捕获的圆括弧
命名分组格式为(?<grp name>)
命名分组的匹配的结果存在在变量%+变量中,取命名分组值,$+{grp name}.
数字 [0-9] d
d+
空白 [
f] s
词 [a-zA-Z_0-9] w
[elk@Vsftp logstash]$ cat grok.conf
input {stdin {}}
filter {
grok {
match =>{
"message" =>"s+(?<request_time>d+(?:.d+)?)s+"
}
}
}
output {
stdout {
codec => rubydebug
}
}
[elk@Vsftp logstash]$ logstash -f grok.conf
Settings: Default pipeline workers: 4
Pipeline main started
begin 123.456 end
{
"message" => " begin 123.456 end",
"@version" => "1",
"@timestamp" => "2017-02-08T06:11:06.570Z",
"host" => "Vsftp",
"request_time" => "123.456"
}
perl 正则捕获:
(?:.d+) 对捕获的 不记录到$1,$2,$3中
Vsftp:/root/20170208# cat a1.pl
my $str=" begin 123.456 end ";
if ($str =~/(?<request_time>d+)/)
{
my ($request_time) = ($+{request_time});
print $request_time."
";};
Vsftp:/root/20170208# perl a1.pl
123
Vsftp:/root/20170208# cat a1.pl
my $str=" begin 123.456 end ";
if ($str =~/s+(?<request_time>d+(.d+)?)s+/)
{
my ($request_time) = ($+{request_time});
print "$1 is $1
";
print "$2 is $2
";
print $request_time."
";
};
Vsftp:/root/20170208# perl a1.pl
$1 is 123.456
$2 is .456
123.456
Vsftp:/root/20170208# cat a1.pl
my $str=" begin 123.456 end ";
#if ($str =~/s+(?<request_time>d+(?:.d+)?)s+/)
if ($str =~/s+(?<request_time>d+(?:.d+)?)s+/)
{
my ($request_time) = ($+{request_time});
print "$1 is $1
";
print "$2 is $2
";
print $request_time."
";
};
Vsftp:/root/20170208# perl a1.pl
$1 is 123.456
$2 is
123.456
2. grok 表达式语法:
1bc
(?<request_time>[a-zA-Z0-9._-])
{
"request_time": [
[
"1"
]
]
}
4.高级用法
1.多行匹配 在codec/multiline 搭配使用的时候,需要注意一个问题,grok 正则和普通正则一样,默认是不支持匹配回车换行的