(?#...) 否 注釋，拋棄(?:...) 是 只集群，不捕獲的圓括弧命名分組格式為(?<grp name>)命名分組的匹配的結(jié)果存在在變量%+變量中，取命名分組值，$+{grp name}.數(shù)字 [0-9] /d/d+空白 [/t/n/r/f] /s詞 [a-zA-Z_0-9] /w[elk@Vsftp logstash]$ cat grok.conf input {stdin {}} filter {  grok {   match =>{   "message" =>"/s+(?<request_time>/d+(?:/./d+)?)/s+"      }  }}output {        stdout {                        codec => rubydebug                }}[elk@Vsftp logstash]$ logstash -f grok.conf Settings: Default pipeline workers: 4Pipeline main started begin 123.456 end{         "message" => " begin 123.456 end",        "@version" => "1",      "@timestamp" => "2017-02-08T06:11:06.570Z",            "host" => "Vsftp",    "request_time" => "123.456"}perl 正則捕獲:(?:/./d+)  對捕獲的 不記錄到$1,$2,$3中  Vsftp:/root/20170208# cat a1.pl my $str="  begin 123.456 end  ";  if ($str =~/(?<request_time>/d+)/)     {      my ($request_time) = ($+{request_time});       PRint $request_time."/n";};Vsftp:/root/20170208# perl a1.pl 123Vsftp:/root/20170208# cat a1.pl my $str="  begin 123.456 end  ";   if ($str =~//s+(?<request_time>/d+(/./d+)?)/s+/)     {      my ($request_time) = ($+{request_time});        print "/$1 is $1/n";    print "/$2 is $2/n";    print $request_time."/n";    };Vsftp:/root/20170208# perl a1.pl $1 is 123.456$2 is .456123.456Vsftp:/root/20170208# cat a1.pl my $str="  begin 123.456 end  ";  #if ($str =~//s+(?<request_time>/d+(?:/./d+)?)/s+/)  if ($str =~//s+(?<request_time>/d+(?:/./d+)?)/s+/)     {      my ($request_time) = ($+{request_time});        print "/$1 is $1/n";    print "/$2 is $2/n";    print $request_time."/n";    };Vsftp:/root/20170208# perl a1.pl $1 is 123.456$2 is 123.4562. grok 表達(dá)式語法:1bc(?<request_time>[a-zA-Z0-9._-]){  "request_time": [    [      "1"    ]  ]}4.高級用法1.多行匹配 在codec/multiline 搭配使用的時候,需要注意一個問題,grok 正則和普通正則一樣,默認(rèn)是不支持匹配回車換行的