Grok_正则表达式

Grok的正则表达式，虽然不是太全，但是已经可以满足日志分析的需求。

转载请说明出处，谢谢。

如果有错误请指出，谢谢。

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------

#DavisDing

#2017-09-10

#第一版

名字	例子	正则表达式
IPV4	null	(?
IPV6	null	((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?
IP	null	(?:%{IPV6:UNWANTED}|%{IPV4:UNWANTED})
域名	null	(?:[a-zA-Z0-9]{1,62}(\.[a-zA-Z0-9]{1,62})\.(cn|com|net))
时间匹配	12/Jan/2017:15:39:12 +0800	(?:\[[01][0-9]/\w{3}/\d{2,4}:\d{1,2}:\d{1,2}:\d{1,2} \+\d{4}\])
URL	null	(?:(http|ftp|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?)
null
host	null	(?:[a-zA-Z0-9]{1,62}(\.[a-zA-Z0-9]{1,62})\.(cn|com|net))
null	null	(?:.*)
null	null	(?:\d+)
collect time	null	(?:[012][0-9]/\w{3}/\d{2,4}:\d{1,2}:\d{1,2}:\d{1,2})
MZ55	null	(?:\+\d{4})
http_method	http方法	(?:\w{3,8})
url	null	(?:/[\\A-Za-z0-9$.+!*'(){},~:;=@#% \[\]_<>^\-&?]*)+
protocol	null	(?:\w{2,8}/.*)
status	null	(?:[1-5][01][0-9])
client request size	客户请求大小	(?:\d+)
collect time	null	(?:[012][0-9]/\w{3}/\d{2,4}:\d{1,2}:\d{1,2}:\d{1,2})
null	null	(?:\w+)
null	null	(?:.+/[1-9]{1,2}\.[0-9]{1,2})
dst port	null	(?:[1-9]\d{1,5})
USERNAME	null	[a-zA-Z0-9._-]+
INT	null	(?:[+-]?(?:[0-9]+))
BASE10NUM	十进制,数字和小数	(?[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
QuotedString	有引号字符串	(?>(?"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
HostName	null	\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)
MONTH	英月份	\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b
MONTHDAY	一月的天数	(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
DAY	英 天	(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
YEAR	年	(?>\d\d){1,2})
HOUR	时间,小时	(?:2[0123]|[01]?[0-9])
MINUTE	时间,分	(?:[0-5][0-9])
SECOND	时间,秒	(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
Time	null	(?!<[0-9])%{HOUR:UNWANTED}:%{MINUTE:UNWANTED}(?::%{SECOND:UNWANTED})(?![0-9])
commonmac	mac	(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})
windowsmac	mac	(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})
ciscomac	mac	(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})
word	任意单词	\b\w+\b
data	数据 ， 任意单词	.*
uuid	null	[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
time	2016-09-08 11:13:19,864，毫秒	%{YEAR:UNWANTED}-%{MONTHNUM:UNWANTED}-%{MONTHDAY:UNWANTED}[T ]%{HOUR:UNWANTED}:?%{MINUTE:UNWANTED}(?::?%{SECOND:UNWANTED}),?%{NUMBER:UNWANTED}
time	yyyy-mm-dd  21:24:30	%{YEAR:UNWANTED}-%{MONTHNUM:UNWANTED}-%{MONTHDAY:UNWANTED}[T ]%{HOUR:UNWANTED}:?%{MINUTE:UNWANTED}(?::?%{SECOND:UNWANTED})
number	数字引用base10num	(?:%{BASE10NUM:UNWANTED})
date us	null	%{MONTHNUM:UNWANTED}[/-]%{MONTHDAY:UNWANTED}[/-]%{YEAR:UNWANTED}
date eu	null	%{MONTHDAY:UNWANTED}[./-]%{MONTHNUM:UNWANTED}[./-]%{YEAR:UNWANTED}
time	mm/dd/yy 16:17:57 CST	%{DATE:UNWANTED} %{TIME:UNWANTED} %{TZ:UNWANTED}
tz	cst	(?:[PMCE][SD]T|UTC)
date	null	%{DATE_US:UNWANTED}|%{DATE_EU:UNWANTED}
time	时分秒,16:17:57	(?!<[0-9])%{HOUR:UNWANTED}:%{MINUTE:UNWANTED}(?::%{SECOND:UNWANTED})(?![0-9])
OTHER DATE	Aug 21 23:58:56 10.195.157.179	%{MONTH:UNWANTED} %{MONTHDAY:UNWANTED} %{TIME:UNWANTED}
no have	不要，不引用	?:
UNWANTED	未知，可做key	UNWANTED