circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Grok Patterns

Grok patterns are patterns defined using regular expression that match words, numbers, IP addresses, and other data formats.

Here is a list of all the Grok patterns and their corresponding regular expressions.

hashtag
General Patterns

Pattern
Regular expression

USERNAME

\[a-zA-Z0-9.\_-\]+

QS %{QUOTEDSTRING}

\[a-zA-Z0-9.\_-\]+

USER

%{USERNAME}

INT

(?:\[+-\]?(?:\[0-9\]+))

BASE10NUM

(?\<!\[0-9.+-\])(?\>\[+-\]?(?:(?:\[0-9\]+(?:.\[0-9\]+)?)\|(?:.\[0-9\]+)))

NUMBER

(?:%{BASE10NUM})

BASE16NUM

(?\<!\[0-9A-Fa-f\])(?:\[+-\]?(?:0x)?(?:\[0-9A-Fa-f\]+))

BASE16FLOAT

\\b(?\<!\[0-9A-Fa-f.\])(?:\[+-\]?(?:0x)?(?:(?:\[0-9A-Fa-f\]+(?:.\[0-9A-Fa-f\]\*)?)\|(?:.\[0-9A-Fa-f\]+)))\\b

POSINT

\\b(?:\[1-9\]\[0-9\]\*)\\b

NONNEGINT

\\b(?:\[0-9\]+)\\b

WORD

\\b\\w+\\b

NOTSPACE

\\S+

SPACE

\\s\*

DATA

.\*?

GREEDYDATA

.\*

QUOTEDSTRING

(?\>(?\<!\)(?\>\"(?\>\.\"\"\[\^\\'\]+)+\')(?\>[(?\>.\|\[\^]{.title-ref}\]+)+\`)\|\`\`))

UUID

\[A-Fa-f0-9\]{8}-(?:\[A-Fa-f0-9\]{4}-){3}\[A-Fa-f0-9\]{12}

DOMAINTLD

\[a-zA-Z\]+

EMAIL

%{NOTSPACE}@%{WORD}.%{DOMAINTLD}

hashtag
Networking-related Patterns

Pattern Name
Regular Expression

MAC

(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})

CISCOMAC

(?:(?:\[A-Fa-f0-9\]{4}{2}[A-Fa-f0-9]{4})

WINDOWSMAC

(?:(?:\[A-Fa-f0-9\]{2}-){5}\[A-Fa-f0-9\]{2})

COMMONMAC

(?:(?:\[A-Fa-f0-9\]{2}:){5}\[A-Fa-f0-9\]{2})

IPV6

(((\[0-9A-Fa-f\]{1,4}:){7}(\[0-9A-Fa-f\]{1,4}((\[0-9A-Fa-f\]{1,4}:){6}(:\[0-9A-Fa-f\]{1,4}2\[0-4\]d\[1-9\]?d)(.(25\[0-5\]1dd:)):((25\[0-5\]1dd2\[0-4\]d\[1-9\]?d)){3})((\[0-9A-Fa-f\]{1,4}:){4}(((:\[0-9A-Fa-f\]{1,4}){1,3})2\[0-4\]d\[1-9\]?d)(.(25\[0-5\]1dd:))((:\[0-9A-Fa-f\]{1,4}){0,2}:((25\[0-5\]1dd2\[0-4\]d\[1-9\]?d)){3}))((\[0-9A-Fa-f\]{1,4}:){2}(((:\[0-9A-Fa-f\]{1,4}){1,5})2\[0-4\]d\[1-9\]?d)(.(25\[0-5\]1dd:))((:\[0-9A-Fa-f\]{1,4}){0,4}:((25\[0-5\]1dd2\[0-4\]d\[1-9\]?d)){3}))(:(((:\[0-9A-Fa-f\]{1,4}){1,7})2\[0-4\]d\[1-9\]?d)(.(25\[0-5\]1dd:)))(%.+)?

IPV4

(?\<!\[0-9\])(?:(?:25\[0-5\]\[0-1\]?\[0-9\]{1,2})\[.\](?:25\[0-5\]\[0-1\]?\[0-9\]{1,2})\[.\](?:25\[0-5\]\[0-1\]?\[0-9\]{1,2})\[.\](?:25\[0-5\]\[0-1\]?\[0-9\]{1,2}))(?!\[0-9\])

IP (?:%{IPV6}\|%{IPV4})

(?:%{IPV6}\|%{IPV4})

HOSTNAME

b(?:\[0-9A-Za-z\]\[0-9A-Za-z-\]{0,62})(?:.(?:\[0-9A-Za-z\]\[0-9A-Za-z-\]{0,62}))\*(.?\|b)

HOST

%{HOSTNAME}

IPORHOST

(?:%{HOSTNAME}\|%{IP})

HOSTPORT %

{IPORHOST}:%{POSINT}

hashtag
Path-related patterns

Pattern name
Regular Expression

PATH

(?:%{UNIXPATH}\|%{WINPATH})

UNIXPATH

(?\>/(?\>\[w\_%!\$@:.,-\]+\|\.)\*)+

TTY

(?:/dev/(pts\|tty(\[pq\])?)(w+)?/?(?:\[0-9\]+))

WINPATH

(?\>\[A-Za-z\]+:\|\)(?:\\\[\^\?\*\]\*)+

URIPROTO

\[A-Za-z\]+(+\[A-Za-z+\]+)?

URIHOST

%{IPORHOST}(?::%{POSINT:port})?

URIPATH

(?:/\[A-Za-z0-9\$.+!\*\'(){},\~:;=@\#%\_-\]\*)+

URIPARAM

?\[A-Za-z0-9\$.+!\*\'\|(){},\~@\#%&/=:;\_?-\[\]\]\*

URIPATHPARAM

%{URIPATH}(?:%{URIPARAM})?

URI

%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})? (?:%{URIPATHPARAM})?

hashtag
Date and time patterns

Pattern Name

Regular Expression

MONTH

b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)? |Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)b

MONTHNUM

(?:0?\[1-9\]\|1\[0-2\])

MONTHNUM2

(?:0\[1-9\]\|1\[0-2\])

MONTHDAY

(?:(?:0\[1-9\])(?:3\[01\])\|\[1-9\])

DAY

(?:Mon(?:day)?Wed(?:nesday)?Fri(?:day)? Sun(?:day)?)

YEAR

(?\>dd){1,2}

HOUR

(?:2\[0123\]\|\[01\]?\[0-9\])

MINUTE

(?:\[0-5\]\[0-9\])

SECOND

(?:(?:\[0-5\]?\[0-9\]\|60)(?:\[:.,\]\[0-9\]+)?)

TIME

(?!\<\[0-9\])%{HOUR}:%{MINUTE}(?::%{SECOND})(?!\[0-9\])

DATE_US %

{MONTHNUM}\[/-\]%{MONTHDAY}\[/-\]%{YEAR}

DATE_EU %

{MONTHDAY}\[./-\]%{MONTHNUM}\[./-\]%{YEAR}

ISO8601_TIMEZONE

(?:Z\|\[+-\]%{HOUR}(?::?%{MINUTE}))

ISO8601_SECOND

(?:%{SECOND}\|60)

TIMESTAMP_ISO8601

%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE} (?::?%{SECOND})?%{ISO8601_TIMEZONE}?

DATE

%{DATE\_US}\|%{DATE\_EU}

DATESTAMP %

{DATE}\[- \]%{TIME}

TZ

(?:\[PMCE\]\[SD\]T\|UTC)

DATESTAMP_RFC822

%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}

DATESTAMP_RFC2822

DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}

DATESTAMP_OTHER

%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}

DATESTAMP_EVENTLOG

x %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}

hashtag
Syslog Patterns

Pattern Name
Regular Expression

SYSLOGTIMESTAMP

%{MONTH} +%{MONTHDAY} %{TIME}

PROG

(?:\[w.\_/%-\]+)

SYSLOGPROG

%{PROG:program}(?:\[%{POSINT:pid}\])?

SYSLOGFACILITY

<%{NONNEGINT:facility}.%{NONNEGINT:priority}\>

HTTPDATE

%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}

SYSLOGHOST

%{IPORHOST}

hashtag
Log Formats

Pattern Name
Regular Expression

SYSLOGBASE

%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:

COMMONAPACHELOG

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?-)

Last updated

Was this helpful?