grok正则
username [a-za-z0-9._-]+
user %{username}
int (?:[+-]?(?:[0-9]+))
base10num (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
number (?:%{base10num})
base16num (?<![0-9a-fa-f])(?:[+-]?(?:0x)?(?:[0-9a-fa-f]+))
base16float \b(?<![0-9a-fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9a-fa-f]+(?:\.[0-9a-fa-f]*)?)|(?:\.[0-9a-fa-f]+)))\b
posint \b(?:[1-9][0-9]*)\b
nonnegint \b(?:[0-9]+)\b
word \b\w+\b
notspace \s+
space \s*
data .*?
greedydata .*
quotedstring (?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
uuid [a-fa-f0-9]{8}-(?:[a-fa-f0-9]{4}-){3}[a-fa-f0-9]{12}
# networking
mac (?:%{ciscomac}|%{windowsmac}|%{commonmac})
ciscomac (?:(?:[a-fa-f0-9]{4}\.){2}[a-fa-f0-9]{4})
windowsmac (?:(?:[a-fa-f0-9]{2}-){5}[a-fa-f0-9]{2})
commonmac (?:(?:[a-fa-f0-9]{2}:){5}[a-fa-f0-9]{2})
ipv6 ((([0-9a-fa-f]{1,4}:){7}([0-9a-fa-f]{1,4}|:))|(([0-9a-fa-f]{1,4}:){6}(:[0-9a-fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-fa-f]{1,4}:){5}(((:[0-9a-fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-fa-f]{1,4}:){4}(((:[0-9a-fa-f]{1,4}){1,3})|((:[0-9a-fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-fa-f]{1,4}:){3}(((:[0-9a-fa-f]{1,4}){1,4})|((:[0-9a-fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-fa-f]{1,4}:){2}(((:[0-9a-fa-f]{1,4}){1,5})|((:[0-9a-fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-fa-f]{1,4}:){1}(((:[0-9a-fa-f]{1,4}){1,6})|((:[0-9a-fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-fa-f]{1,4}){1,7})|((:[0-9a-fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?
ipv4 (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])
ip (?:%{ipv6}|%{ipv4})
hostname \b(?:[0-9a-za-z][0-9a-za-z-]{0,62})(?:\.(?:[0-9a-za-z][0-9a-za-z-]{0,62}))*(\.?|\b)
host %{hostname}
iporhost (?:%{hostname}|%{ip})
hostport %{iporhost}:%{posint}
# paths
path (?:%{unixpath}|%{winpath})
unixpath (?>/(?>[\w_%!$@:.,-]+|\\.)*)+
tty (?:/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))
winpath (?>[a-za-z]+:|\\)(?:\\[^\\?*]*)+
uriproto [a-za-z]+(\+[a-za-z+]+)?
urihost %{iporhost}(?::%{posint:port})?
# uripath comes loosely from rfc1738, but mostly from what firefox
# doesn't turn into %xx
uripath (?:/[a-za-z0-9$.+!*'(){},~:;=@#%_\-]*)+
#uriparam \?(?:[a-za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[a-za-z0-9]+(?:=(?:[^&]*))?)?)*)?
uriparam \?[a-za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]]*
uripathparam %{uripath}(?:%{uriparam})?
uri %{uriproto}://(?:%{user}(?::[^@]*)?@)?(?:%{urihost})?(?:%{uripathparam})?
# months: january, feb, 3, 03, 12, december
month \b(?:jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?:y)?|aug(?:ust)?|sep(?:tember)?|oct(?:ober)?|nov(?:ember)?|dec(?:ember)?)\b
monthnum (?:0?[1-9]|1[0-2])
monthnum2 (?:0[1-9]|1[0-2])
monthday (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
# days: monday, tue, thu, etc...
day (?:mon(?:day)?|tue(?:sday)?|wed(?:nesday)?|thu(?:rsday)?|fri(?:day)?|sat(?:urday)?|sun(?:day)?)
# years?
year (?>\d\d){1,2}
hour (?:2[0123]|[01]?[0-9])
minute (?:[0-5][0-9])
# '60' is a leap second in most time standards and thus is valid.
second (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
time (?!<[0-9])%{hour}:%{minute}(?::%{second})(?![0-9])
# datestamp is yyyy/mm/dd-hh:mm:ss.uuuu (or something like it)
date_us %{monthnum}[/-]%{monthday}[/-]%{year}
date_eu %{monthday}[./-]%{monthnum}[./-]%{year}
iso8601_timezone (?:z|[+-]%{hour}(?::?%{minute}))
iso8601_second (?:%{second}|60)
timestamp_iso8601 %{year}-%{monthnum}-%{monthday}[t ]%{hour}:?%{minute}(?::?%{second})?%{iso8601_timezone}?
date %{date_us}|%{date_eu}
datestamp %{date}[- ]%{time}
tz (?:[pmce][sd]t|utc)
datestamp_rfc822 %{day} %{month} %{monthday} %{year} %{time} %{tz}
datestamp_rfc2822 %{day}, %{monthday} %{month} %{year} %{time} %{iso8601_timezone}
datestamp_other %{day} %{month} %{monthday} %{time} %{tz} %{year}
datestamp_eventlog %{year}%{monthnum2}%{monthday}%{hour}%{minute}%{second}
# syslog dates: month day hh:mm:ss
syslogtimestamp %{month} +%{monthday} %{time}
prog (?:[\w._/%-]+)
syslogprog %{prog:program}(?:\[%{posint:pid}\])?
sysloghost %{iporhost}
syslogfacility <%{nonnegint:facility}.%{nonnegint:priority}>
httpdate %{monthday}/%{month}/%{year}:%{time} %{int}
# shortcuts
qs %{quotedstring}
# log formats
syslogbase %{syslogtimestamp:timestamp} (?:%{syslogfacility} )?%{sysloghost:logsource} %{syslogprog}:
commonapachelog %{iporhost:clientip} %{user:ident} %{user:auth} \[%{httpdate:timestamp}\] "(?:%{word:verb} %{notspace:request}(?: http/%{number:httpversion})?|%{data:rawrequest})" %{number:response} (?:%{number:bytes}|-)
combinedapachelog %{commonapachelog} %{qs:referrer} %{qs:agent}
# log levels
loglevel ([aa]lert|alert|[tt]race|trace|[dd]ebug|debug|[nn]otice|notice|[ii]nfo|info|[ww]arn?(?:ing)?|warn?(?:ing)?|[ee]rr?(?:or)?|err?(?:or)?|[cc]rit?(?:ical)?|crit?(?:ical)?|[ff]atal|fatal|[ss]evere|severe|emerg(?:ency)?|[ee]merg(?:ency)?)