Grok pattern in Logstash

username [a-za-z0-9_-]+user %{username}int  (?: [+]? (?: [0-9]+)] base10num  (? <![ 0-9.+-]) (? >[+-]? (?:(?: [0-9]+ (?: \. [0-9]+]?) | (?:\. [0-9]+)] number  (?:%{base10num}) base16num  (? <![ 0-9A-FA-F]) (?: [-+]? (?: 0 x)? (?: [0-9a-fa-f]+)] base16float \b (? <![ 0-9a-fa-f.]) (?:[+-]? (?: 0 x)? (?:(?: [0-9a-fa-f]+ (?: \. [0-9a-fa-f]*]?) | (?:\. [0-9a-fa-f]+)] \b posint \b (?: [1-9][0-9]*) \bnonnegint \b (?: [0-9]+) \bword \b\w+\bnotspace  \s+space \s*data .*? greedydata .* quotedstring  (?> (? <!\\) (?> "(? >\\.| [^\\"]+)+"|""| (?> ' (? >\\.| [^\\ ']+) + ') | (?> ' (? >\\.| [^\\ ']+) + ') uuid [a-fa-f0-9]{8}-(?: [a-fa-f0-9]{4}-) {3}[a-fa-f0-9]{12} # networkingmac  (?:%{ciscomac}|%{windowsmac}|%{commonmac}) ciscomac  (?:(?: [A-fa-f0-9]{4}\.) {2} [A-fa-f0-9] {4}) windowsmac  (?:(?: [a-fa-f0-9]{2}-) {5}[a-fa-f0-9]{2}) commonmac  (?:(?: [a-fa-f0-9]{2}:) {5}[a-fa-f0-9]{2} ) ip  (? <![ 0-9]) (?:(? : 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {.}) [.] (?: 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {.}) [.] (?: 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {.}) [.] (?: 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {)}) (?! [0-9]) hostname \b (?: [0-9a-za-z][0-9a-za-z-]{0,62}) (?: \. (?: [0-9a-za-z][0-9a-za-z-]{0,62})) *(\.?| \b) host %{hostname}iporhost  (?:%{hostname}|%{ip}) hostport  (?:%{iporhost=~/\./}:%{posint})   # pathspath  (?:%{unixpath}|%{winpath}) unixpath  (? >/(? >[\w_%[email protected]:.,-]+|\ \.) *) + #UNIXPATH   (<![ \w\/]) (?:/ [^\/\s?*]*] +linuxtty  (? >/dev/pts/%{nonnegint}) bsdtty  (? >/dev/tty[pq][a-z0-9]) TTY  (?:%{ Bsdtty}|%{linuxtty}) winpath  (? >[a-za-z]+:|\\) (?: \ \[^\\?*]*) +uriproto [a-za-z]+ (\+[a-za-z+]+)? Urihost %{iporhost} (?::%{posint:port})? uripath  (?:/ [a-za-z0-9$.+!* ' () {},~:;=#%_\-]*) + #URIPARAM  \? (?: [a-za-z0-9]+ (?: = (?: [^&]*))?] (?:& (?: [a-za-z0-9]+ (?: = (?: [^&]*))?) *)? Uriparam \? [a-za-z0-9$.+!* ' | () {},~#%&/=:;_?\-\[\]]*uripathparam %{Uripath} (?:%{uriparam})? uri %{uriproto}://(?:%{user} (?:: [^@]*) [email protected])? (?:%{urihost})? (?:%{uripathparam})?  #  months: january, feb, 3, 03, 12, decembermonth \b (?: Jan (?: uary)? | Feb (?: ruary)? | Mar (?: ch)? | APR (?: il)? | may| June (?: E)? | Jul (?: Y)? | (?: UST)? | Sep (?: tember)? | OCT (?: o ber)? | Nov (?: Ember)? | Dec (?: Ember)?) \bmonthnum  (?: 0?) [1-9]|1[0-2]) monthday  (?:(?: 0 [1-9]) | (?: [12][0-9]) | (?: 3[01]) | [1-9])  # days: monday, tue, thu, etc ... day  (?: Mon (?:d ay)? | Tue (?: sday)? | Wed (?: nesday)? | Thu (?: rsday)? | Fri (?:d ay)? | Sat (?: urday)? | Sun (?:d ay)?)  # years? year  (? >\d\d) {1,2}hour  (?: 2[0123]|[ 01][0-9]) minute  (?: [0-5][0-9]) #  '  is a leap second in most  Time standards and thus is valid. second  (?:(?: [0-5][0-9]|60) (?: [:.,][0-9]+)?) time  (?! &LT;[0-9])%{hour}:%{minute} (?::%{second}) (?! [0-9])  # datestamp iS yyyy/mm/dd-hh:mm:ss. uuuu  (or something like it) date_us %{monthnum}[/-]%{monthday}[/-]%{year}date_eu  %{year}[./-]%{monthnum}[./-]%{monthday}iso8601_timezone  (?: z|[ +-]%{hour} (?::?%{minute})) iso8601_second  (?:%{second}|60) timestamp_iso8601 %{year}-%{monthnum}-%{ Monthday}[t ]%{hour}:?%{minute} (?::?%{second})?%{iso8601_timezone}? date %{date_us}|%{date_eu}datestamp %{date}[- ]%{time}tz  (?: [PMCE][SD]T) DATESTAMP_RFC822  %{day} %{month} %{monthday} %{year} %{time} %{tz}datestamp_other %{day}  %{month} %{monthday} %{time} %{tz} %{year} # syslog dates: month  Day HH:MM:SSSYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}PROG  (?: [\w._/%-]+) Syslogprog %{prog:program} (?: \ [%{posint:pid}\])? Sysloghost %{iporhost}syslogfacility <%{nonnegint:facility}.%{nonnegint:priority}>httpdate  %{monthday}/%{month}/%{year}:%{time} %{int} # shortcutsqs %{quotedstring} # log  formatssyslogbase %{syslogtimestamp:timestamp}  (?:%{syslogfacility} )?%{SYSLOGHOST:logsource}  %{syslogprog}:combinedapachelog %{iporhost:clientip} %{user:ident} %{user:auth} \[%{ httpdate:timestamp}\]  "(?:%{word:verb} %{notspace:request} (?:  http/%{number:httpversion})? | -) " %{NUMBER:response}  (?:%{number:bytes}|-)  %{qs:referrer} %{qs:agent} # log  LevelsLOGLEVEL  ([t|t]race| trace| [D|d]ebug| Debug| [n|n]otice| notice| [i|i]nfo|info| [W|w]arn? (?: ing)? | WARN? (?: I NG)? | [E|E]RR? (?: O R)? | Err? (?: O R)? | [C|c]rit? (?: ical)? | Crit? (?: I CAL)? | [f|f]atal| fatal| [s|s]evere| SEVERE)

Logstash There are many more pattern, please refer to

Https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

This article is from the "Zengestudy" blog, make sure to keep this source http://zengestudy.blog.51cto.com/1702365/1782593

Grok pattern in Logstash