logstash (?m) 经典例子

在和 codec/multiline 搭配使用的时候，需要注意一个问题，grok 正则和普通正则一样，默认是不支持匹配回车换行的。就像你需要 =~ //m 一样也需要单独指定，具体写法是在表达式开始位置加 (?m) 标记。


s  空格,和 [
	
f] 语法一样 

(s*S+s*).* 匹配0个或者多个前导字符
 

简单demo:

 SELECT t.*  FROM
 	    (
 			SELECT 
 			t1.sn AS clientSn,
 			t1.userNick,
 			t1.mobilePhone,
 			t3.personName,
 			t2.availableBalance,
 			(SELECT IFNULL(SUM(amount) , 0) FROM ClientRechargeOrder t WHERE t.clientSn= t1.sn AND t.status ='2') AS rechargeAmount,
 			(SELECT IFNULL(SUM(amount) , 0) FROM ClientWithDrawOrder t WHERE t.clientSn= t1.sn AND t.status IN ('1','2','3','4') ) AS withdrawAmount,
 			( (SELECT IFNULL(SUM(capitalBalance) , 0) FROM ProductRepayment t WHERE t.clientSn= t1.sn AND t.status= '1') 
 			  + 
 			  (SELECT IFNULL(SUM(capitalBalance) , 0) FROM VirtualProductOrder t WHERE t.clientSn= t1.sn AND t.status= '1')  
 			) AS investAmount,
 			( (SELECT IFNULL(SUM(yieldBalance) , 0) FROM ProductRepayment t WHERE t.clientSn= t1.sn AND t.status= '2') 
 			  + 
 			  (SELECT IFNULL(SUM(yieldBalance) , 0) FROM VirtualProductOrder t WHERE t.clientSn= t1.sn AND t.status= '2')  
 			) AS yieldAmount,
 			(SELECT IFNULL(SUM(t0.amount) , 0) FROM ClientCoupon t,Coupon t0 WHERE t.clientSn= t1.sn AND t.status = '2' AND t.couponSn = t0.sn AND t0.type IN (1,2)) AS cashCouponAmount
 			FROM  Client t1 , ClientAssetInfo t2 , ClientPersonalInfo t999
 			WHERE t1.sn = t2.clientSn AND t1.sn = t3.clientSn
 	    ) t  WHERE (t.rechargeAmount + t.yieldAmount + t.cashCouponAmount - t.withdrawAmount - t.investAmount - t.availableBalance) != 0;




正则表达式；
s*(?<query>(s*S+s*).*)s*

匹配结果:
{
  "query": [
    [
      "SELECT t.*  FROM"
    ]
  ]
}

////////////////////////////////////

正则表达式：
(?m)s*(?<query>(s*S+s*).*)s*


匹配结果:



{
  "query": [
    [
      "SELECT t.*  FROM
 	    (
 			SELECT 
 			t1.sn AS clientSn,
 			t1.userNick,
 			t1.mobilePhone,
 			t3.personName,
 			t2.availableBalance,
 			(SELECT IFNULL(SUM(amount) , 0) FROM ClientRechargeOrder t WHERE t.clientSn= t1.sn AND t.status ='2') AS rechargeAmount,
 			(SELECT IFNULL(SUM(amount) , 0) FROM ClientWithDrawOrder t WHERE t.clientSn= t1.sn AND t.status IN ('1','2','3','4') ) AS withdrawAmount,
 			( (SELECT IFNULL(SUM(capitalBalance) , 0) FROM ProductRepayment t WHERE t.clientSn= t1.sn AND t.status= '1') 
 			  + 
 			  (SELECT IFNULL(SUM(capitalBalance) , 0) FROM VirtualProductOrder t WHERE t.clientSn= t1.sn AND t.status= '1')  
 			) AS investAmount,
 			( (SELECT IFNULL(SUM(yieldBalance) , 0) FROM ProductRepayment t WHERE t.clientSn= t1.sn AND t.status= '2') 
 			  + 
 			  (SELECT IFNULL(SUM(yieldBalance) , 0) FROM VirtualProductOrder t WHERE t.clientSn= t1.sn AND t.status= '2')  
 			) AS yieldAmount,
 			(SELECT IFNULL(SUM(t0.amount) , 0) FROM ClientCoupon t,Coupon t0 WHERE t.clientSn= t1.sn AND t.status = '2' AND t.couponSn = t0.sn AND t0.type IN (1,2)) AS cashCouponAmount
 			FROM  Client t1 , ClientAssetInfo t2 , ClientPersonalInfo t999
 			WHERE t1.sn = t2.clientSn AND t1.sn = t3.clientSn
 	    ) t  WHERE (t.rechargeAmount + t.yieldAmount + t.cashCouponAmount - t.withdrawAmount - t.investAmount - t.availableBalance) != 0;


"
    ]
  ]
}








继续测试；

表达式；

s*(?<query>(S+
*).*)s*


输出:

{
  "query": [
    [
      "SELECT t.*  FROM"
    ]
  ]
}

正则:
(?m)s*(?<query>(S+
*).*)s*


Grok Debugger

    Debugger
    Discover
    Patterns

Add custom patterns Keep Empty Captures Named Captures Only Singles Autocomplete  

{
  "query": [
    [
      "SELECT t.*  FROM
 	    (
 			SELECT 
 			t1.sn AS clientSn,
 			t1.userNick,
 			t1.mobilePhone,
 			t3.personName,
 			t2.availableBalance,
 			(SELECT IFNULL(SUM(amount) , 0) FROM ClientRechargeOrder t WHERE t.clientSn= t1.sn AND t.status ='2') AS rechargeAmount,
 			(SELECT IFNULL(SUM(amount) , 0) FROM ClientWithDrawOrder t WHERE t.clientSn= t1.sn AND t.status IN ('1','2','3','4') ) AS withdrawAmount,
 			( (SELECT IFNULL(SUM(capitalBalance) , 0) FROM ProductRepayment t WHERE t.clientSn= t1.sn AND t.status= '1') 
 			  + 
 			  (SELECT IFNULL(SUM(capitalBalance) , 0) FROM VirtualProductOrder t WHERE t.clientSn= t1.sn AND t.status= '1')  
 			) AS investAmount,
 			( (SELECT IFNULL(SUM(yieldBalance) , 0) FROM ProductRepayment t WHERE t.clientSn= t1.sn AND t.status= '2') 
 			  + 
 			  (SELECT IFNULL(SUM(yieldBalance) , 0) FROM VirtualProductOrder t WHERE t.clientSn= t1.sn AND t.status= '2')  
 			) AS yieldAmount,
 			(SELECT IFNULL(SUM(t0.amount) , 0) FROM ClientCoupon t,Coupon t0 WHERE t.clientSn= t1.sn AND t.status = '2' AND t.couponSn = t0.sn AND t0.type IN (1,2)) AS cashCouponAmount
 			FROM  Client t1 , ClientAssetInfo t2 , ClientPersonalInfo t999
 			WHERE t1.sn = t2.clientSn AND t1.sn = t3.clientSn
 	    ) t  WHERE (t.rechargeAmount + t.yieldAmount + t.cashCouponAmount - t.withdrawAmount - t.investAmount - t.availableBalance) != 0;


"
    ]
  ]
}

“I grok in fullness.” Robert A. Heinlein, Stranger in a Strange Land
相关阅读:
eclipse里面已经提交的svn提交
 session 失效
 svn版本管理
 前端控制台调试经验
 python001环境搭建及入门 http://python.jobbole.com/81332/
eclipse自己写makefile 建工程
 编码风格
 算法导论第22章22.2广度优先搜索
 vnc相关
 eclipse相关设置
原文地址：https://www.cnblogs.com/zhaoyangjian724/p/6199127.html