modseccfg: Artifact [c2bbcf7ed1]

Artifact c2bbcf7ed1477278d254b4b7827d9de7bf37c995bd6bceca82897881475eb315:

Wiki page [logfmt1/share] by mario 2020-12-16 15:21:44.
D 2020-12-16T15:21:44.538
L logfmt1/share
N text/x-markdown
P 960ffb536c9a4c35dacf8746ea9e150173d3fad3e4e8148f3e7b3152fdd83188
U mario
W 24874
`*.fmt` placeholder definitions should got to `/usr/share/logfmt`. They take precedence over the ones bundles in the pip packge, or the builtins in `logfmt1.rulesdb`



## apache generic

| placeholder 	 | id 	 | regex 	 	 | grok/fmt-recursion 	 | description/reference 	 |
-------------------------------------------------------------------------------------------
| %a 	 | remote_addr 	 | `[\d.:a-f]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_addr) |
| %{c}a 	 | remote_addr 	 | `[\d.:a-f]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_addr) |
| %h 	 | remote_host 	 | `[\w\-.:]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_host) |
| %{c}h 	 | remote_host 	 | `[\w\-.:]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_host) |
| %A 	 | local_address 	 | `[\d.:a-f]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=local_address) |
| %u 	 | remote_user 	 | `[\-\w@.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_user) |
| %l 	 | remote_logname 	 | `[\w\-.:]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_logname) |
| %t 	 | request_time 	 | `\[?(\d[\d:\w\s:./\-+,;]+)\]?` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_time) |
| %{u}t 	 | request_time 	 | `\d+/\w+/\d+:\d+:\d+:\d+\.\d+\s\+\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_time) |
| %{cu}t 	 | request_time 	 | `\d+-\w+-\d+\s\d+:\d+:\d+\.\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_time) |
| %{msec_frac}t 	 | msec_frac 	 | `[\d.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=msec_frac) |
| %{usec_frac}t 	 | usec_frac 	 | `[\d.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=usec_frac) |
| %f 	 | request_file 	 | `[^\s"]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_file) |
| %b 	 | bytes_sent 	 | `\d+¦-` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=bytes_sent) |
| %B 	 | bytes_sent 	 | `\d+¦-` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=bytes_sent) |
| %O 	 | bytes_out 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=bytes_out) |
| %I 	 | bytes_in 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=bytes_in) |
| %S 	 | bytes_combined 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=bytes_combined) |
| %E 	 | apr_status 	 | `\w+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=apr_status) |
| %M 	 | message 	 | `.+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=message) |
| %L 	 | log_id 	 | `[\w\-\.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=log_id) |
| %{c}L 	 | log_id 	 | `[\w\-\.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=log_id) |
| %{C}L 	 | log_id 	 | `[\w\-\.]*` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=log_id) |
| %V 	 | server_name 	 | `[\w\-\.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=server_name) |
| %v 	 | virtual_host 	 | `[\w\-\.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=virtual_host) |
| %p 	 | server_port 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=server_port) |
| %{local}p 	 | server_port 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=server_port) |
| %{canonical}p 	 | canonical_port 	 | `[\w.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=canonical_port) |
| %{remote}p 	 | remote_port 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=remote_port) |
| %P 	 | pid 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=pid) |
| %{g}T 	 | tid 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=tid) |
| %{tid}P 	 | tid 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=tid) |
| %{pid}P 	 | pid 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=pid) |
| %{hextid}P 	 | tid 	 | `\w+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=tid) |
| %{hexpid}P 	 | pid 	 | `\w+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=pid) |
| %H 	 | request_protocol 	 | `[\w/\d.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_protocol) |
| %m 	 | request_method 	 | `[\w.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_method) |
| %q 	 | request_query 	 | `\??\S*` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_query) |
| %F 	 | file_line 	 | `[/\w\-.:(\d)]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=file_line) |
| %X 	 | connection_status 	 | `[Xx+\-.\d]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=connection_status) |
| %k 	 | keepalives 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=keepalives) |
| %r 	 | request_line 	 | `(?<request_method>\w+) (?<request_path>\S+) (?<request_protocol>[\w/\d.]+)` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_line) |
| %D 	 | request_duration_microseconds 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_duration_microseconds) |
| %T 	 | request_duration_scaled 	 | `[\d.]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_duration_scaled) |
| %{s}T 	 | request_duration_seconds 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_duration_seconds) |
| %{us}T 	 | request_duration_microseconds 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_duration_microseconds) |
| %{ms}T 	 | request_duration_milliseconds 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_duration_milliseconds) |
| %U 	 | request_uri 	 | `\S+(?<!")` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_uri) |
| %s 	 | status 	 | `\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=status) |
| %>s 	 | status 	 | `-¦\d\d\d` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=status) |
| %R 	 | handler 	 | `[\w:.\-]+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=handler) |
| %^FU 	 | ttfu 	 | `-¦\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=ttfu) |
| %^FB 	 | ttfb 	 | `-¦\d+` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=ttfb) |
| %^ĴS 	 | json 	 | `\{(?:[\w:,\s\[\]]+¦"(?:[^\\"]+¦\\.)*")\}` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=json) |
| %{Referer}i 	 | referer 	 | `[^"]*` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=referer) |
| %{User-Agent}i 	 | user_agent 	 | `(?:[^"]+¦\\")*` 	 | - 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=user_agent) |
| %\{([^{}]+)\}t 	 | request_time 	 | `None` 	 | strftime 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=request_time) |
| %[<>]?\{([\w\-]+)\}[Conexic] 	 | $1 	 | `\S+` 	 | None 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=$1) |
| %\{([\w\-]+)\}\^t[io] 	 | $1 	 | `\S+` 	 | None 	 | [mod_log_config.c/log_io.c](https://github.com/apache/httpd/search?q=$1) |


## strftime

| placeholder 	 | id 	 | regex 	 	 | grok/fmt-recursion 	 | description/reference 	 |
-------------------------------------------------------------------------------------------
| %a 	 | tm_wday 	 | `\w+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %A 	 | tm_wday 	 | `\w+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %b 	 | tm_mon 	 | `\w+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %B 	 | tm_mon 	 | `\w+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %c 	 | tm_dt 	 | `[-:/.\w\d]+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_dt) |
| %C 	 | tm_cent 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_cent) |
| %d 	 | tm_mday 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mday) |
| %D 	 | tm_mdy 	 | `\d+/\d+/\d+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mdy) |
| %e 	 | tm_mday 	 | `[\d\s]\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mday) |
| %F 	 | tm_date 	 | `\d\d\d\d-\d\d-\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_date) |
| %G 	 | tm_wyear 	 | `\d\d\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wyear) |
| %g 	 | tm_wyearnc 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wyearnc) |
| %h 	 | tm_mon 	 | `\w+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %H 	 | tm_hour 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %I 	 | tm_hour 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %j 	 | tm_yday 	 | `\d\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %k 	 | tm_hour 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %l 	 | tm_hour 	 | `[\d\s]\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %m 	 | tm_mon 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %M 	 | tm_min 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_min) |
| %n 	 | newline 	 | `\n` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=newline) |
| %p 	 | tm_ampm 	 | `AM¦PM` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ampm) |
| %P 	 | tm_ampm 	 | `am¦pm` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ampm) |
| %r 	 | tm_time 	 | `\d\d:\d\d:\d\d [AMPM]{2}` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_time) |
| %R 	 | tm_time 	 | `\d\d:\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_time) |
| %s 	 | tm_epoch 	 | `\d+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_epoch) |
| %S 	 | tm_sec 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_sec) |
| %t 	 | tab 	 | `\t` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tab) |
| %T 	 | tm_time 	 | `\d\d:\d\d:\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_time) |
| %u 	 | tm_wday 	 | `[1-7]` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %U 	 | tm_yday 	 | `[0-5]\d¦5[0123]` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %V 	 | tm_yday 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %w 	 | tm_wday 	 | `[0-6]` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %W 	 | tm_yday 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %x 	 | tm_ldate 	 | `[-./\d]+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ldate) |
| %X 	 | tm_ltime 	 | `[:.\d]+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ltime) |
| %y 	 | tm_year 	 | `\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_year) |
| %Y 	 | tm_year 	 | `\d\d\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_year) |
| %z 	 | tm_tz 	 | `[-+]\d\d\d\d` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_tz) |
| %Z 	 | tm_tz 	 | `\w+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_tz) |
| %+ 	 | tm_date 	 | `[-/:. \w\d]+` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_date) |
| %% 	 | percent 	 | `%` 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=percent) |


## grok

| placeholder 	 | id 	 | regex 	 	 | grok/fmt-recursion 	 | description/reference 	 |
-------------------------------------------------------------------------------------------
| `%\{GROK:((?:[^{}]+|\{[^{}]+\})+)\}` 	 |  	 | `None` 	 | grok 	 | [grok formats](https://duckduckgo.com/?q=grok+format+) |
| %{USERNAME:([\w.\-]+)} 	 | $1 	 | `[a-zA-Z0-9._-]+` 	 | USERNAME 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{USER:([\w.\-]+)} 	 | $1 	 | `[a-zA-Z0-9._-]+` 	 | USER 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{INT:([\w.\-]+)} 	 | $1 	 | `(?:[+-]?(?:[0-9]+))` 	 | INT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{BASE10NUM:([\w.\-]+)} 	 | $1 	 | `(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)¦(?…` 	 | BASE10NUM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{NUMBER:([\w.\-]+)} 	 | $1 	 | `(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)…` 	 | NUMBER 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{BASE16NUM:([\w.\-]+)} 	 | $1 	 | `(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))` 	 | BASE16NUM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{BASE16FLOAT:([\w.\-]+)} 	 | $1 	 | `(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]…` 	 | BASE16FLOAT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{POSINT:([\w.\-]+)} 	 | $1 	 | `(?:[1-9][0-9]*)` 	 | POSINT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{NONNEGINT:([\w.\-]+)} 	 | $1 	 | `(?:[0-9]+)` 	 | NONNEGINT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{WORD:([\w.\-]+)} 	 | $1 	 | `\w+` 	 | WORD 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{NOTSPACE:([\w.\-]+)} 	 | $1 	 | `\S+` 	 | NOTSPACE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SPACE:([\w.\-]+)} 	 | $1 	 | `\s*` 	 | SPACE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATA:([\w.\-]+)} 	 | $1 	 | `.*?` 	 | DATA 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{GREEDYDATA:([\w.\-]+)} 	 | $1 	 | `.*` 	 | GREEDYDATA 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{QUOTEDSTRING:([\w.\-]+)} 	 | $1 	 | `(?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+…` 	 | QUOTEDSTRING 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{UUID:([\w.\-]+)} 	 | $1 	 | `[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{1…` 	 | UUID 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MAC:([\w.\-]+)} 	 | $1 	 | `(?:(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})¦(?:(?…` 	 | MAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{CISCOMAC:([\w.\-]+)} 	 | $1 	 | `(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})` 	 | CISCOMAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{WINDOWSMAC:([\w.\-]+)} 	 | $1 	 | `(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})` 	 | WINDOWSMAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{COMMONMAC:([\w.\-]+)} 	 | $1 	 | `(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})` 	 | COMMONMAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IPV6:([\w.\-]+)} 	 | $1 	 | `((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(([0…` 	 | IPV6 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IPV4:([\w.\-]+)} 	 | $1 	 | `(?<![0-9])(?:(?:25[0-5]¦2[0-4][0-9]¦[0-1]?[0-9]{1,…` 	 | IPV4 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IP:([\w.\-]+)} 	 | $1 	 | `(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(…` 	 | IP 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOSTNAME:([\w.\-]+)} 	 | $1 	 | `(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za…` 	 | HOSTNAME 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOST:([\w.\-]+)} 	 | $1 	 | `(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za…` 	 | HOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IPORHOST:([\w.\-]+)} 	 | $1 	 | `(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…` 	 | IPORHOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOSTPORT:([\w.\-]+)} 	 | $1 	 | `(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…` 	 | HOSTPORT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{PATH:([\w.\-]+)} 	 | $1 	 | `(?:(?>/(?>[\w_%!$@:.,-]+¦\.)*)+¦(?>[A-Za-z]+:¦\)(?…` 	 | PATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{UNIXPATH:([\w.\-]+)} 	 | $1 	 | `(?>/(?>[\w_%!$@:.,-]+¦\.)*)+` 	 | UNIXPATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TTY:([\w.\-]+)} 	 | $1 	 | `(?:/dev/(pts¦tty([pq])?)(\w+)?/?(?:[0-9]+))` 	 | TTY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{WINPATH:([\w.\-]+)} 	 | $1 	 | `(?>[A-Za-z]+:¦\)(?:\[^\?*]*)+` 	 | WINPATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPROTO:([\w.\-]+)} 	 | $1 	 | `[A-Za-z]+(\+[A-Za-z+]+)?` 	 | URIPROTO 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIHOST:([\w.\-]+)} 	 | $1 	 | `(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…` 	 | URIHOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPATH:([\w.\-]+)} 	 | $1 	 | `(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+` 	 | URIPATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPARAM:([\w.\-]+)} 	 | $1 	 | `\?[A-Za-z0-9$.+!*'¦(){},~@#%&/=:;_?\-\[\]]*` 	 | URIPARAM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPATHPARAM:([\w.\-]+)} 	 | $1 	 | `(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+(?:\?[A-Za-…` 	 | URIPATHPARAM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URI:([\w.\-]+)} 	 | $1 	 | `[A-Za-z]+(\+[A-Za-z+]+)?://(?:[a-zA-Z0-9._-]+(?::[…` 	 | URI 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTH:([\w.\-]+)} 	 | $1 	 | `(?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il…` 	 | MONTH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTHNUM:([\w.\-]+)} 	 | $1 	 | `(?:0?[1-9]¦1[0-2])` 	 | MONTHNUM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTHNUM2:([\w.\-]+)} 	 | $1 	 | `(?:0[1-9]¦1[0-2])` 	 | MONTHNUM2 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTHDAY:([\w.\-]+)} 	 | $1 	 | `(?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])` 	 | MONTHDAY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DAY:([\w.\-]+)} 	 | $1 	 | `(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…` 	 | DAY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{YEAR:([\w.\-]+)} 	 | $1 	 | `(?>\d\d){1,2}` 	 | YEAR 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOUR:([\w.\-]+)} 	 | $1 	 | `(?:2[0123]¦[01]?[0-9])` 	 | HOUR 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MINUTE:([\w.\-]+)} 	 | $1 	 | `(?:[0-5][0-9])` 	 | MINUTE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SECOND:([\w.\-]+)} 	 | $1 	 | `(?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?)` 	 | SECOND 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TIME:([\w.\-]+)} 	 | $1 	 | `(?!<[0-9])(?:2[0123]¦[01]?[0-9]):(?:[0-5][0-9])(?:…` 	 | TIME 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATE_US:([\w.\-]+)} 	 | $1 	 | `(?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦…` 	 | DATE_US 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATE_EU:([\w.\-]+)} 	 | $1 	 | `(?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])[./-](…` 	 | DATE_EU 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{ISO8601_TIMEZONE:([\w.\-]+)} 	 | $1 	 | `(?:Z¦[+-](?:2[0123]¦[01]?[0-9])(?::?(?:[0-5][0-9])…` 	 | ISO8601_TIMEZONE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{ISO8601_SECOND:([\w.\-]+)} 	 | $1 	 | `(?:(?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?)¦60)` 	 | ISO8601_SECOND 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TIMESTAMP_ISO8601:([\w.\-]+)} 	 | $1 	 | `(?>\d\d){1,2}-(?:0?[1-9]¦1[0-2])-(?:(?:0[1-9])¦(?:…` 	 | TIMESTAMP_ISO8601 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATE:([\w.\-]+)} 	 | $1 	 | `(?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦…` 	 | DATE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP:([\w.\-]+)} 	 | $1 	 | `(?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦…` 	 | DATESTAMP 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TZ:([\w.\-]+)} 	 | $1 	 | `(?:[PMCE][SD]T¦UTC)` 	 | TZ 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_RFC822:([\w.\-]+)} 	 | $1 	 | `(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…` 	 | DATESTAMP_RFC822 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_RFC2822:([\w.\-]+)} 	 | $1 	 | `(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…` 	 | DATESTAMP_RFC2822 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_OTHER:([\w.\-]+)} 	 | $1 	 | `(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…` 	 | DATESTAMP_OTHER 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_EVENTLOG:([\w.\-]+)} 	 | $1 	 | `(?>\d\d){1,2}(?:0[1-9]¦1[0-2])(?:(?:0[1-9])¦(?:[12…` 	 | DATESTAMP_EVENTLOG 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGTIMESTAMP:([\w.\-]+)} 	 | $1 	 | `(?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il…` 	 | SYSLOGTIMESTAMP 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{PROG:([\w.\-]+)} 	 | $1 	 | `(?:[\w._/%-]+)` 	 | PROG 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGPROG:([\w.\-]+)} 	 | $1 	 | `(?<program>(?:[\w._/%-]+))(?:\[(?<pid>(?:[1-9][0-…` 	 | SYSLOGPROG 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGHOST:([\w.\-]+)} 	 | $1 	 | `(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…` 	 | SYSLOGHOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGFACILITY:([\w.\-]+)} 	 | $1 	 | `<(?<facility>(?:[0-9]+)).(?<priority>(?:[0-9]+)…` 	 | SYSLOGFACILITY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HTTPDATE:([\w.\-]+)} 	 | $1 	 | `(?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])/(?:J…` 	 | HTTPDATE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{QS:([\w.\-]+)} 	 | $1 	 | `(?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+…` 	 | QS 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{LOGLEVEL:([\w.\-]+)} 	 | $1 	 | `([Aa]lert¦ALERT¦[Tt]race¦TRACE¦[Dd]ebug¦DEBUG¦[Nn]…` 	 | LOGLEVEL 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |

Z 143d77367254d89a687221fbced6939e