grok 正则捕获

(?#...) 否 注释，抛弃

(?:...) 是 只集群，不捕获的圆括弧

命名分组格式为(?<grp name>)

命名分组的匹配的结果存在在变量%+变量中，取命名分组值，$+{grp name}.

数字 [0-9] d
d+

空白 [tnrf] s
词 [a-zA-Z_0-9] w



[elk@Vsftp logstash]$ cat grok.conf 
input {stdin {}}
 filter {
  grok {
   match =>{
   "message" =>"s+(?<request_time>d+(?:.d+)?)s+"
      }
  }
}

output {
        stdout {
                        codec => rubydebug
                }
}

[elk@Vsftp logstash]$ logstash -f grok.conf 
Settings: Default pipeline workers: 4
Pipeline main started
 begin 123.456 end
{
         "message" => " begin 123.456 end","@version" => "1","@timestamp" => "2017-02-08T06:11:06.570Z","host" => "Vsftp","request_time" => "123.456"
}


perl 正则捕获:
(?:.d+)  对捕获的 不记录到$1,$2,$3中  



Vsftp:/root/20170208# cat a1.pl 
my $str="  begin 123.456 end  ";  
if ($str =~/(?<request_time>d+)/)  
   {  
    my ($request_time) = ($+{request_time});    
   print $request_time."n";};
Vsftp:/root/20170208# perl a1.pl 
123



Vsftp:/root/20170208# cat a1.pl 
my $str="  begin 123.456 end  ";  
 
if ($str =~/s+(?<request_time>d+(.d+)?)s+/)  
   {  
    my ($request_time) = ($+{request_time});    
    print "$1 is $1n";
    print "$2 is $2n";
    print $request_time."n";
    };

Vsftp:/root/20170208# perl a1.pl 
$1 is 123.456
$2 is .456
123.456


Vsftp:/root/20170208# cat a1.pl 
my $str="  begin 123.456 end  ";  
#if ($str =~/s+(?<request_time>d+(?:.d+)?)s+/)  
if ($str =~/s+(?<request_time>d+(?:.d+)?)s+/)  
   {  
    my ($request_time) = ($+{request_time});    
    print "$1 is $1n";
    print "$2 is $2n";
    print $request_time."n";
    };
Vsftp:/root/20170208# perl a1.pl 
$1 is 123.456
$2 is 
123.456



2. grok 表达式语法:

1bc


(?<request_time>[a-zA-Z0-9._-])

{
  "request_time": [
    [
      "1"
    ]
  ]
}




4.高级用法


1.多行匹配 在codec/multiline 搭配使用的时候,需要注意一个问题,grok 正则和普通正则一样,默认是不支持匹配回车换行的

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!