grok 正则捕获

(?#...) 否 注释，抛弃(?:...) 是 只集群，不捕获的圆括弧命名分组格式为(?<grp name>)命名分组的匹配的结果存在在变量%+变量中，取命名分组值，$+{grp name}.数字 [0-9] /d/d+空白 [/t/n/r/f] /s词 [a-zA-Z_0-9] /w[elk@Vsftp logstash]$ cat grok.conf input {stdin {}} filter {  grok {   match =>{   "message" =>"/s+(?<request_time>/d+(?:/./d+)?)/s+"      }  }}output {        stdout {                        codec => rubydebug                }}[elk@Vsftp logstash]$ logstash -f grok.conf Settings: Default pipeline workers: 4Pipeline main started begin 123.456 end{         "message" => " begin 123.456 end",        "@version" => "1",      "@timestamp" => "2017-02-08T06:11:06.570Z",            "host" => "Vsftp",    "request_time" => "123.456"}perl 正则捕获:(?:/./d+)  对捕获的 不记录到$1,$2,$3中  Vsftp:/root/20170208# cat a1.pl my $str="  begin 123.456 end  ";  if ($str =~/(?<request_time>/d+)/)     {      my ($request_time) = ($+{request_time});       PRint $request_time."/n";};Vsftp:/root/20170208# perl a1.pl 123Vsftp:/root/20170208# cat a1.pl my $str="  begin 123.456 end  ";   if ($str =~//s+(?<request_time>/d+(/./d+)?)/s+/)     {      my ($request_time) = ($+{request_time});        print "/$1 is $1/n";    print "/$2 is $2/n";    print $request_time."/n";    };Vsftp:/root/20170208# perl a1.pl $1 is 123.456$2 is .456123.456Vsftp:/root/20170208# cat a1.pl my $str="  begin 123.456 end  ";  #if ($str =~//s+(?<request_time>/d+(?:/./d+)?)/s+/)  if ($str =~//s+(?<request_time>/d+(?:/./d+)?)/s+/)     {      my ($request_time) = ($+{request_time});        print "/$1 is $1/n";    print "/$2 is $2/n";    print $request_time."/n";    };Vsftp:/root/20170208# perl a1.pl $1 is 123.456$2 is 123.4562. grok 表达式语法:1bc(?<request_time>[a-zA-Z0-9._-]){  "request_time": [    [      "1"    ]  ]}4.高级用法1.多行匹配 在codec/multiline 搭配使用的时候,需要注意一个问题,grok 正则和普通正则一样,默认是不支持匹配回车换行的