Logstash自带正则表达式

USERNAME [a-zA-Z0-._-]+
USER %{USERNAME}
INT (?:[+-]?(?:[-]+))
BASE10NUM (?<![-.+-])(?>[+-]?(?:(?:[-]+(?:\.[-]+)?)|(?:\.[-]+)))
NUMBER (?:%{BASE10NUM})
BASE16NUM (?<![-9A-Fa-f])(?:[+-]?(?:0x)?(?:[-9A-Fa-f]+))
BASE16FLOAT \b(?<![-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[-9A-Fa-f]+(?:\.[-9A-Fa-f]*)?)|(?:\.[-9A-Fa-f]+)))\b

POSINT \b(?:[-][-]*)\b
NONNEGINT \b(?:[-]+)\b
WORD \b\w+\b
NOTSPACE \S+
SPACE \s*
DATA .*?
GREEDYDATA .*
QUOTEDSTRING (?>(?<!\\)(?>”(?>\\.|[^\\"]+)+”|”"|(?>’(?>\\.|[^\\']+)+’)|”|(?>(?>\\.|[^\]+)+)|`))
UUID [A-Fa-f0-]{}-(?:[A-Fa-f0-]{}-){}[A-Fa-f0-]{}

# Networking
MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})
CISCOMAC (?:(?:[A-Fa-f0-]{}\.){}[A-Fa-f0-]{})
WINDOWSMAC (?:(?:[A-Fa-f0-]{}-){}[A-Fa-f0-]{})
COMMONMAC (?:(?:[A-Fa-f0-]{}:){}[A-Fa-f0-]{})
IPV6 ((([-9A-Fa-f]{,}:){}([-9A-Fa-f]{,}|:))|(([-9A-Fa-f]{,}:){}(:[-9A-Fa-f]{,}|(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){})|:))|(([-9A-Fa-f]{,}:){}(((:[-9A-Fa-f]{,}){,})|:(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){})|:))|(([-9A-Fa-f]{,}:){}(((:[-9A-Fa-f]{,}){,})|((:[-9A-Fa-f]{,})?:(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){}))|:))|(([-9A-Fa-f]{,}:){}(((:[-9A-Fa-f]{,}){,})|((:[-9A-Fa-f]{,}){,}:(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){}))|:))|(([-9A-Fa-f]{,}:){}(((:[-9A-Fa-f]{,}){,})|((:[-9A-Fa-f]{,}){,}:(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){}))|:))|(([-9A-Fa-f]{,}:){}(((:[-9A-Fa-f]{,}){,})|((:[-9A-Fa-f]{,}){,}:(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){}))|:))|(:(((:[-9A-Fa-f]{,}){,})|((:[-9A-Fa-f]{,}){,}:(([-]|[-]\d|\d\d|[-]?\d)(\.([-]|[-]\d|\d\d|[-]?\d)){}))|:)))(%.+)?
IPV4 (?<![-])(?:(?:[-]|[-][-]|[-]?[-]{,})[.](?:[-]|[-][-]|[-]?[-]{,})[.](?:[-]|[-][-]|[-]?[-]{,})[.](?:[-]|[-][-]|[-]?[-]{,}))(?![-])
IP (?:%{IPV6}|%{IPV4})
HOSTNAME \b(?:[-9A-Za-z][-9A-Za-z-]{,})(?:\.(?:[-9A-Za-z][-9A-Za-z-]{,}))*(\.?|\b)
HOST %{HOSTNAME}
IPORHOST (?:%{HOSTNAME}|%{IP})
HOSTPORT (?:%{IPORHOST=~/\./}:%{POSINT})

# paths
PATH (?:%{UNIXPATH}|%{WINPATH})
UNIXPATH (?>/(?>[\w_%!$@:.,-]+|\\.)*)+
TTY (?:/dev/(pts|tty([pq])?)(\w+)?/?(?:[-]+))
WINPATH (?>[A-Za-z]+:|\\)(?:\
^\\?*]*)+
URIPROTO [A-Za-z]+(\+[A-Za-z+]+)?
URIHOST %{IPORHOST}(?::%{POSINT:port})?
# uripath comes loosely from RFC1738, but mostly from what Firefox
# doesn’t turn into %XX
URIPATH (?:/[A-Za-z0-$.+!*'(){},~:;=@#%_\-]*)+
#URIPARAM \?(?:[A-Za-z0-]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-]+(?:=(?:[^&]*))?)?)*)?
URIPARAM \?[A-Za-z0-$.+!*’|(){},~@#%&/=:;_?\-\[
]*
URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?

# Months: January, Feb, , , , December
MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b
MONTHNUM (?:?[-]|[-])
MONTHDAY (?:(?:[-])|(?:[][-])|(?:[])|[-])

# Days: Monday, Tue, Thu, etc…
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)

# Years?
YEAR (?>\d\d){,}
HOUR (?:[]|[]?[-])
MINUTE (?:[-][-])
# ’′ is a leap second in most time standards and thus is valid.
SECOND (?:(?:[-][-]|)(?:[:.,][-]+)?)
TIME (?!<[-])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![-])
# datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it)
DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
ISO8601_SECOND (?:%{SECOND}|)
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
DATE %{DATE_US}|%{DATE_EU}
DATESTAMP %{DATE}[- ]%{TIME}
TZ (?:[PMCE][SD]T|UTC)
DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}

# Syslog Dates: Month Day HH:MM:SS
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
PROG (?:[\w._/%-]+)
SYSLOGPROG %{PROG:program}(?:
)?
SYSLOGHOST %{IPORHOST}
SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}>
HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}

# Shortcuts
QS %{QUOTEDSTRING}

# Log formats
SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth}
“(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})” %{NUMBER:response} (?:%{NUMBER:bytes}|-)
COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}

# Log Levels
LOGLEVEL ([A-a]lert|ALERT|[T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)