Grok_正则表达式

最新推荐文章于 2024-09-11 15:49:37 发布

AngusDavis

最新推荐文章于 2024-09-11 15:49:37 发布

阅读量2.8k

点赞数

分类专栏： Grok，正则表达式文章标签：正则表达式 Grok

本文链接：https://blog.csdn.net/AngusDavis/article/details/77921358

版权

Grok，正则表达式专栏收录该内容

1 篇文章 0 订阅

订阅专栏

Grok的正则表达式，虽然不是太全，但是已经可以满足日志分析的需求。

转载请说明出处，谢谢。

如果有错误请指出，谢谢。

#----------------------------------------------------------------------------------------------------------------------------------------------------------------------

#DavisDing

#2017-09-10

#第一版

名字	例子	正则表达式
IPV4	null	(?<![0-9])(?:(?:25[0-5]\|2[0-4][0-9]\|[0-1]?[0-9]{1,2})[.](?:25[0-5]\|2[0-4][0-9]\|[0-1]?[0-9]{1,2})[.](?:25[0-5]\|2[0-4][0-9]\|[0-1]?[0-9]{1,2})[.](?:25[0-5]\|2[0-4][0-9]\|[0-1]?[0-9]{1,2}))(?![0-9])
IPV6	null	((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}\|:))\|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}\|((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3})\|:))\|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})\|:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3})\|:))\|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})\|((:[0-9A-Fa-f]{1,4})?:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})\|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})\|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})\|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(:(((:[0-9A-Fa-f]{1,4}){1,7})\|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(\.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:)))(%.+)?
IP	null	(?:%{IPV6:UNWANTED}\|%{IPV4:UNWANTED})
域名	null	(?:[a-zA-Z0-9]{1,62}(\.[a-zA-Z0-9]{1,62})\.(cn\|com\|net))
时间匹配	12/Jan/2017:15:39:12 +0800	(?:\[[01][0-9]/\w{3}/\d{2,4}:\d{1,2}:\d{1,2}:\d{1,2} \+\d{4}\])
URL	null	(?:(http\|ftp\|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?)
null
host	null	(?:[a-zA-Z0-9]{1,62}(\.[a-zA-Z0-9]{1,62})\.(cn\|com\|net))
null	null	(?:.*)
null	null	(?:\d+)
collect time	null	(?:[012][0-9]/\w{3}/\d{2,4}:\d{1,2}:\d{1,2}:\d{1,2})
MZ55	null	(?:\+\d{4})
http_method	http方法	(?:\w{3,8})
url	null	(?:/[\\A-Za-z0-9$.+!'(){},~:;=@#% \[\]_<>^\-&?])+
protocol	null	(?:\w{2,8}/.*)
status	null	(?:[1-5][01][0-9])
client request size	客户请求大小	(?:\d+)
collect time	null	(?:[012][0-9]/\w{3}/\d{2,4}:\d{1,2}:\d{1,2}:\d{1,2})
null	null	(?:\w+)
null	null	(?:.+/[1-9]{1,2}\.[0-9]{1,2})
dst port	null	(?:[1-9]\d{1,5})
USERNAME	null	[a-zA-Z0-9._-]+
INT	null	(?:[+-]?(?:[0-9]+))
BASE10NUM	十进制,数字和小数	(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)\|(?:\.[0-9]+)))
QuotedString	有引号字符串	(?>(?<!\\)(?>"(?>\\.\|[^\\"]+)+"\|""\|(?>'(?>\\.\|[^\\']+)+')\|''\|(?>`(?>\\.\|[^\\`]+)+`)\|``))
HostName	null	\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?\|\b)
MONTH	英月份	\b(?:Jan(?:uary)?\|Feb(?:ruary)?\|Mar(?:ch)?\|Apr(?:il)?\|May\|Jun(?:e)?\|Jul(?:y)?\|Aug(?:ust)?\|Sep(?:tember)?\|Oct(?:ober)?\|Nov(?:ember)?\|Dec(?:ember)?)\b
MONTHDAY	一月的天数	(?:(?:0[1-9])\|(?:[12][0-9])\|(?:3[01])\|[1-9])
DAY	英天	(?:Mon(?:day)?\|Tue(?:sday)?\|Wed(?:nesday)?\|Thu(?:rsday)?\|Fri(?:day)?\|Sat(?:urday)?\|Sun(?:day)?)
YEAR	年	(?>\d\d){1,2})
HOUR	时间,小时	(?:2[0123]\|[01]?[0-9])
MINUTE	时间,分	(?:[0-5][0-9])
SECOND	时间,秒	(?:(?:[0-5]?[0-9]\|60)(?:[:.,][0-9]+)?)
Time	null	(?!<[0-9])%{HOUR:UNWANTED}:%{MINUTE:UNWANTED}(?::%{SECOND:UNWANTED})(?![0-9])
commonmac	mac	(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})
windowsmac	mac	(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})
ciscomac	mac	(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})
word	任意单词	\b\w+\b
data	数据，任意单词	.*
uuid	null	[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
time	2016-09-08 11:13:19,864，毫秒	%{YEAR:UNWANTED}-%{MONTHNUM:UNWANTED}-%{MONTHDAY:UNWANTED}[T ]%{HOUR:UNWANTED}:?%{MINUTE:UNWANTED}(?::?%{SECOND:UNWANTED}),?%{NUMBER:UNWANTED}
time	yyyy-mm-dd 21:24:30	%{YEAR:UNWANTED}-%{MONTHNUM:UNWANTED}-%{MONTHDAY:UNWANTED}[T ]%{HOUR:UNWANTED}:?%{MINUTE:UNWANTED}(?::?%{SECOND:UNWANTED})
number	数字引用base10num	(?:%{BASE10NUM:UNWANTED})
date us	null	%{MONTHNUM:UNWANTED}[/-]%{MONTHDAY:UNWANTED}[/-]%{YEAR:UNWANTED}
date eu	null	%{MONTHDAY:UNWANTED}[./-]%{MONTHNUM:UNWANTED}[./-]%{YEAR:UNWANTED}
time	mm/dd/yy 16:17:57 CST	%{DATE:UNWANTED} %{TIME:UNWANTED} %{TZ:UNWANTED}
tz	cst	(?:[PMCE][SD]T\|UTC)
date	null	%{DATE_US:UNWANTED}\|%{DATE_EU:UNWANTED}
time	时分秒,16:17:57	(?!<[0-9])%{HOUR:UNWANTED}:%{MINUTE:UNWANTED}(?::%{SECOND:UNWANTED})(?![0-9])
OTHER DATE	Aug 21 23:58:56 10.195.157.179	%{MONTH:UNWANTED} %{MONTHDAY:UNWANTED} %{TIME:UNWANTED}
no have	不要，不引用	?:
UNWANTED	未知，可做key	UNWANTED