(?#...) 否 注释,抛弃 (?:...) 是 只集群,不捕获的圆括弧 命名分组格式为(?<grp name>) 命名分组的匹配的结果存在在变量%+变量中,取命名分组值,$+{grp name}. 数字 [0-9] \d \d+ 空白 [\t\n\r\f] \s 词 [a-zA-Z_0-9] \w [elk@Vsftp logstash]$ cat grok.conf input {stdin {}} filter { grok { match =>{ "message" =>"\s+(?<request_time>\d+(?:\.\d+)?)\s+" } } } output { stdout { codec => rubydebug } } [elk@Vsftp logstash]$ logstash -f grok.conf Settings: Default pipeline workers: 4 Pipeline main started begin 123.456 end { "message" => " begin 123.456 end","@version" => "1","@timestamp" => "2017-02-08T06:11:06.570Z","host" => "Vsftp","request_time" => "123.456" } perl 正则捕获: (?:\.\d+) 对捕获的 不记录到$1,$2,$3中 Vsftp:/root/20170208# cat a1.pl my $str=" begin 123.456 end "; if ($str =~/(?<request_time>\d+)/) { my ($request_time) = ($+{request_time}); print $request_time."\n";}; Vsftp:/root/20170208# perl a1.pl 123 Vsftp:/root/20170208# cat a1.pl my $str=" begin 123.456 end "; if ($str =~/\s+(?<request_time>\d+(\.\d+)?)\s+/) { my ($request_time) = ($+{request_time}); print "\$1 is $1\n"; print "\$2 is $2\n"; print $request_time."\n"; }; Vsftp:/root/20170208# perl a1.pl $1 is 123.456 $2 is .456 123.456 Vsftp:/root/20170208# cat a1.pl my $str=" begin 123.456 end "; #if ($str =~/\s+(?<request_time>\d+(?:\.\d+)?)\s+/) if ($str =~/\s+(?<request_time>\d+(?:\.\d+)?)\s+/) { my ($request_time) = ($+{request_time}); print "\$1 is $1\n"; print "\$2 is $2\n"; print $request_time."\n"; }; Vsftp:/root/20170208# perl a1.pl $1 is 123.456 $2 is 123.456 2. grok 表达式语法: 1bc (?<request_time>[a-zA-Z0-9._-]) { "request_time": [ [ "1" ] ] } 4.高级用法 1.多行匹配 在codec/multiline 搭配使用的时候,需要注意一个问题,grok 正则和普通正则一样,默认是不支持匹配回车换行的
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。