(?#...) 否 注释,抛弃
(?:...) 是 只集群,不捕获的圆括弧
命名分组格式为(?<grp name>)
命名分组的匹配的结果存在在变量%+变量中,取命名分组值,$+{grp name}.
数字 [0-9] \d
\d+
空白 [\t\n\r\f] \s
词 [a-zA-Z_0-9] \w
[elk@Vsftp logstash]$ cat grok.conf
input {stdin {}}
filter {
grok {
match =>{
"message" =>"\s+(?<request_time>\d+(?:\.\d+)?)\s+"
}
}
}
output {
stdout {
codec => rubydebug
}
}
[elk@Vsftp logstash]$ logstash -f grok.conf
Settings: Default pipeline workers: 4
Pipeline main started
begin 123.456 end
{
"message" => " begin 123.456 end",
"@version" => "1",
"@timestamp" => "2017-02-08T06:11:06.570Z",
"host" => "Vsftp",
"request_time" => "123.456"
}
perl 正则捕获:
(?:\.\d+) 对捕获的 不记录到$1,$2,$3中
Vsftp:/root/20170208# cat a1.pl
my $str=" begin 123.456 end ";
if ($str =~/(?<request_time>\d+)/)
{
my ($request_time) = ($+{request_time});
print $request_time."\n";};
Vsftp:/root/20170208# perl a1.pl
123
Vsftp:/root/20170208# cat a1.pl
my $str=" begin 123.456 end ";
if ($str =~/\s+(?<request_time>\d+(\.\d+)?)\s+/)
{
my ($request_time) = ($+{request_time});
print "\$1 is $1\n";
print "\$2 is $2\n";
print $request_time."\n";
};
Vsftp:/root/20170208# perl a1.pl
$1 is 123.456
$2 is .456
123.456
Vsftp:/root/20170208# cat a1.pl
my $str=" begin 123.456 end ";
#if ($str =~/\s+(?<request_time>\d+(?:\.\d+)?)\s+/)
if ($str =~/\s+(?<request_time>\d+(?:\.\d+)?)\s+/)
{
my ($request_time) = ($+{request_time});
print "\$1 is $1\n";
print "\$2 is $2\n";
print $request_time."\n";
};
Vsftp:/root/20170208# perl a1.pl
$1 is 123.456
$2 is
123.456
2. grok 表达式语法:
1bc
(?<request_time>[a-zA-Z0-9._-])
{
"request_time": [
[
"1"
]
]
}
4.高级用法
1.多行匹配 在codec/multiline 搭配使用的时候,需要注意一个问题,grok 正则和普通正则一样,默认是不支持匹配回车换行的
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
