*.fmt placeholder definitions should got to /usr/share/logfmt. They take precedence over the ones bundles in the pip packge, or the builtins in logfmt1.rulesdb

apache generic

placeholder	id	regex	grok/fmt-recursion	description/reference
%a	remote_addr	[\d.:a-f]+	-	mod_log_config.c/log_io.c
%{c}a	remote_addr	[\d.:a-f]+	-	mod_log_config.c/log_io.c
%h	remote_host	[\w\-.:]+	-	mod_log_config.c/log_io.c
%{c}h	remote_host	[\w\-.:]+	-	mod_log_config.c/log_io.c
%A	local_address	[\d.:a-f]+	-	mod_log_config.c/log_io.c
%u	remote_user	[\-\w@.]+	-	mod_log_config.c/log_io.c
%l	remote_logname	[\w\-.:]+	-	mod_log_config.c/log_io.c
%t	request_time	\[?(\d[\d:\w\s:./\-+,;]+)\]?	-	mod_log_config.c/log_io.c
%{u}t	request_time	\d+/\w+/\d+:\d+:\d+:\d+\.\d+\s\+\d+	-	mod_log_config.c/log_io.c
%{cu}t	request_time	\d+-\w+-\d+\s\d+:\d+:\d+\.\d+	-	mod_log_config.c/log_io.c
%{msec_frac}t	msec_frac	[\d.]+	-	mod_log_config.c/log_io.c
%{usec_frac}t	usec_frac	[\d.]+	-	mod_log_config.c/log_io.c
%f	request_file	[^\s"]+	-	mod_log_config.c/log_io.c
%b	bytes_sent	\d+¦-	-	mod_log_config.c/log_io.c
%B	bytes_sent	\d+¦-	-	mod_log_config.c/log_io.c
%O	bytes_out	\d+	-	mod_log_config.c/log_io.c
%I	bytes_in	\d+	-	mod_log_config.c/log_io.c
%S	bytes_combined	\d+	-	mod_log_config.c/log_io.c
%E	apr_status	\w+	-	mod_log_config.c/log_io.c
%M	message	.+	-	mod_log_config.c/log_io.c
%L	log_id	[\w\-\.]+	-	mod_log_config.c/log_io.c
%{c}L	log_id	[\w\-\.]+	-	mod_log_config.c/log_io.c
%{C}L	log_id	[\w\-\.]*	-	mod_log_config.c/log_io.c
%V	server_name	[\w\-\.]+	-	mod_log_config.c/log_io.c
%v	virtual_host	[\w\-\.]+	-	mod_log_config.c/log_io.c
%p	server_port	\d+	-	mod_log_config.c/log_io.c
%{local}p	server_port	\d+	-	mod_log_config.c/log_io.c
%{canonical}p	canonical_port	[\w.]+	-	mod_log_config.c/log_io.c
%{remote}p	remote_port	\d+	-	mod_log_config.c/log_io.c
%P	pid	\d+	-	mod_log_config.c/log_io.c
%{g}T	tid	\d+	-	mod_log_config.c/log_io.c
%{tid}P	tid	\d+	-	mod_log_config.c/log_io.c
%{pid}P	pid	\d+	-	mod_log_config.c/log_io.c
%{hextid}P	tid	\w+	-	mod_log_config.c/log_io.c
%{hexpid}P	pid	\w+	-	mod_log_config.c/log_io.c
%H	request_protocol	[\w/\d.]+	-	mod_log_config.c/log_io.c
%m	request_method	[\w.]+	-	mod_log_config.c/log_io.c
%q	request_query	\??\S*	-	mod_log_config.c/log_io.c
%F	file_line	[/\w\-.:(\d)]+	-	mod_log_config.c/log_io.c
%X	connection_status	[Xx+\-.\d]+	-	mod_log_config.c/log_io.c
%k	keepalives	\d+	-	mod_log_config.c/log_io.c
%r	request_line	(?<request_method>\w+) (?<request_path>\S+) (?<request_protocol>[\w/\d.]+)	-	mod_log_config.c/log_io.c
%D	request_duration_microseconds	\d+	-	mod_log_config.c/log_io.c
%T	request_duration_scaled	[\d.]+	-	mod_log_config.c/log_io.c
%{s}T	request_duration_seconds	\d+	-	mod_log_config.c/log_io.c
%{us}T	request_duration_microseconds	\d+	-	mod_log_config.c/log_io.c
%{ms}T	request_duration_milliseconds	\d+	-	mod_log_config.c/log_io.c
%U	request_uri	\S+(?<!")	-	mod_log_config.c/log_io.c
%s	status	\d+	-	mod_log_config.c/log_io.c
%>s	status	-¦\d\d\d	-	mod_log_config.c/log_io.c
%R	handler	[\w:.\-]+	-	mod_log_config.c/log_io.c
%^FU	ttfu	-¦\d+	-	mod_log_config.c/log_io.c
%^FB	ttfb	-¦\d+	-	mod_log_config.c/log_io.c
%^ĴS	json	\{(?:[\w:,\s\[\]]+¦"(?:[^\\"]+¦\\.)*")\}	-	mod_log_config.c/log_io.c
%{Referer}i	referer	[^"]*	-	mod_log_config.c/log_io.c
%{User-Agent}i	user_agent	(?:[^"]+¦\\")*	-	mod_log_config.c/log_io.c
%{(misref+)}t	request_time	None	strftime	mod_log_config.c/log_io.c
%[<>]?{([w-]+)}[Conexic]	$1	\S+	None	mod_log_config.c/log_io.c
%{([w-]+)}^t[io]	$1	\S+	None	mod_log_config.c/log_io.c

strftime

placeholder	id	regex	grok/fmt-recursion	description/reference
%a	tm_wday	\w+	-	strftime(3)
%A	tm_wday	\w+	-	strftime(3)
%b	tm_mon	\w+	-	strftime(3)
%B	tm_mon	\w+	-	strftime(3)
%c	tm_dt	[-:/.\w\d]+	-	strftime(3)
%C	tm_cent	\d\d	-	strftime(3)
%d	tm_mday	\d\d	-	strftime(3)
%D	tm_mdy	\d+/\d+/\d+	-	strftime(3)
%e	tm_mday	[\d\s]\d	-	strftime(3)
%F	tm_date	\d\d\d\d-\d\d-\d\d	-	strftime(3)
%G	tm_wyear	\d\d\d\d	-	strftime(3)
%g	tm_wyearnc	\d\d	-	strftime(3)
%h	tm_mon	\w+	-	strftime(3)
%H	tm_hour	\d\d	-	strftime(3)
%I	tm_hour	\d\d	-	strftime(3)
%j	tm_yday	\d\d\d	-	strftime(3)
%k	tm_hour	\d\d	-	strftime(3)
%l	tm_hour	[\d\s]\d	-	strftime(3)
%m	tm_mon	\d\d	-	strftime(3)
%M	tm_min	\d\d	-	strftime(3)
%n	newline	\n	-	strftime(3)
%p	tm_ampm	AM¦PM	-	strftime(3)
%P	tm_ampm	am¦pm	-	strftime(3)
%r	tm_time	\d\d:\d\d:\d\d [AMPM]{2}	-	strftime(3)
%R	tm_time	\d\d:\d\d	-	strftime(3)
%s	tm_epoch	\d+	-	strftime(3)
%S	tm_sec	\d\d	-	strftime(3)
%t	tab	\t	-	strftime(3)
%T	tm_time	\d\d:\d\d:\d\d	-	strftime(3)
%u	tm_wday	[1-7]	-	strftime(3)
%U	tm_yday	[0-5]\d¦5[0123]	-	strftime(3)
%V	tm_yday	\d\d	-	strftime(3)
%w	tm_wday	[0-6]	-	strftime(3)
%W	tm_yday	\d\d	-	strftime(3)
%x	tm_ldate	[-./\d]+	-	strftime(3)
%X	tm_ltime	[:.\d]+	-	strftime(3)
%y	tm_year	\d\d	-	strftime(3)
%Y	tm_year	\d\d\d\d	-	strftime(3)
%z	tm_tz	[-+]\d\d\d\d	-	strftime(3)
%Z	tm_tz	\w+	-	strftime(3)
%+	tm_date	[-/:. \w\d]+	-	strftime(3)
%%	percent	%	-	strftime(3)

nginx

placeholder	id	regex	grok/fmt-recursion	description/reference
$request	request	(?<request_method>\w+) (?<request_path>\S+) (?<request_protocol>[\w/\d.]+)	-	???
$remote_addr	remote_addr	[\da-f.:]+	-	???
$remote_user	remote_user	[\w\-@.:]+	-	???
$time_local	time_local	[\d/\w:.+\-]+	-	???
$status	status	\d+	-	???
$request_length	request_length	\d+	-	???
$request_time	request_time	[\d.]+	-	???
$msec	msec	[\d.]+	-	???
$scheme	scheme	\w+	-	???
$args	args	\S*	-	???
$is_args	is_args	\??	-	???
$body_bytes_sent	body_bytes_sent	\d+	-	???
$http_referer	http_referer	\S*	-	???
$http_user_agent	http_user_agent	\S*	-	???
$pipe	pipe	[p.]	-	???
$ssl_protocol	ssl_protocol	[\w.]*	-	???
$ssl_cipher	ssl_cipher	[\w\-.]*	-	???
$	$1	\S*	QS	???

grok

placeholder	id	regex	grok/fmt-recursion	description/reference
%\{GROK:((?:[^{}]+|\{[^{}]+\})+)\}		None	grok	grok formats
%{USERNAME:([w.-]+)}	$1	[a-zA-Z0-9._-]+	USERNAME	grok formats
%{USER:([w.-]+)}	$1	[a-zA-Z0-9._-]+	USER	grok formats
%{INT:([w.-]+)}	$1	(?:[+-]?(?:[0-9]+))	INT	grok formats
%{BASE10NUM:([w.-]+)}	$1	(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)¦(?…	BASE10NUM	grok formats
%{NUMBER:([w.-]+)}	$1	(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)…	NUMBER	grok formats
%{BASE16NUM:([w.-]+)}	$1	(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))	BASE16NUM	grok formats
%{BASE16FLOAT:([w.-]+)}	$1	(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]…	BASE16FLOAT	grok formats
%{POSINT:([w.-]+)}	$1	(?:[1-9][0-9]*)	POSINT	grok formats
%{NONNEGINT:([w.-]+)}	$1	(?:[0-9]+)	NONNEGINT	grok formats
%{WORD:([w.-]+)}	$1	\w+	WORD	grok formats
%{NOTSPACE:([w.-]+)}	$1	\S+	NOTSPACE	grok formats
%{SPACE:([w.-]+)}	$1	\s*	SPACE	grok formats
%{DATA:([w.-]+)}	$1	.*?	DATA	grok formats
%{GREEDYDATA:([w.-]+)}	$1	.*	GREEDYDATA	grok formats
%{QUOTEDSTRING:([w.-]+)}	$1	(?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+…	QUOTEDSTRING	grok formats
%{UUID:([w.-]+)}	$1	[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{1…	UUID	grok formats
%{MAC:([w.-]+)}	$1	(?:(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})¦(?:(?…	MAC	grok formats
%{CISCOMAC:([w.-]+)}	$1	(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})	CISCOMAC	grok formats
%{WINDOWSMAC:([w.-]+)}	$1	(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})	WINDOWSMAC	grok formats
%{COMMONMAC:([w.-]+)}	$1	(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})	COMMONMAC	grok formats
%{IPV6:([w.-]+)}	$1	((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(([0…	IPV6	grok formats
%{IPV4:([w.-]+)}	$1	(?<![0-9])(?:(?:25[0-5]¦2[0-4][0-9]¦[0-1]?[0-9]{1,…	IPV4	grok formats
%{IP:([w.-]+)}	$1	(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(…	IP	grok formats
%{HOSTNAME:([w.-]+)}	$1	(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za…	HOSTNAME	grok formats
%{HOST:([w.-]+)}	$1	(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za…	HOST	grok formats
%{IPORHOST:([w.-]+)}	$1	(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…	IPORHOST	grok formats
%{HOSTPORT:([w.-]+)}	$1	(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…	HOSTPORT	grok formats
%{PATH:([w.-]+)}	$1	(?:(?>/(?>[\w_%!$@:.,-]+¦\.)*)+¦(?>[A-Za-z]+:¦\)(?…	PATH	grok formats
%{UNIXPATH:([w.-]+)}	$1	(?>/(?>[\w_%!$@:.,-]+¦\.)*)+	UNIXPATH	grok formats
%{TTY:([w.-]+)}	$1	(?:/dev/(pts¦tty([pq])?)(\w+)?/?(?:[0-9]+))	TTY	grok formats
%{WINPATH:([w.-]+)}	$1	(?>[A-Za-z]+:¦\)(?:\[^\?*]*)+	WINPATH	grok formats
%{URIPROTO:([w.-]+)}	$1	[A-Za-z]+(\+[A-Za-z+]+)?	URIPROTO	grok formats
%{URIHOST:([w.-]+)}	$1	(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…	URIHOST	grok formats
%{URIPATH:([w.-]+)}	$1	(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+	URIPATH	grok formats
%{URIPARAM:([w.-]+)}	$1	\?[A-Za-z0-9$.+!*'¦(){},~@#%&/=:;_?\-\[\]]*	URIPARAM	grok formats
%{URIPATHPARAM:([w.-]+)}	$1	(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+(?:\?[A-Za-…	URIPATHPARAM	grok formats
%{URI:([w.-]+)}	$1	[A-Za-z]+(\+[A-Za-z+]+)?://(?:[a-zA-Z0-9._-]+(?::[…	URI	grok formats
%{MONTH:([w.-]+)}	$1	(?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il…	MONTH	grok formats
%{MONTHNUM:([w.-]+)}	$1	(?:0?[1-9]¦1[0-2])	MONTHNUM	grok formats
%{MONTHNUM2:([w.-]+)}	$1	(?:0[1-9]¦1[0-2])	MONTHNUM2	grok formats
%{MONTHDAY:([w.-]+)}	$1	(?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])	MONTHDAY	grok formats
%{DAY:([w.-]+)}	$1	(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…	DAY	grok formats
%{YEAR:([w.-]+)}	$1	(?>\d\d){1,2}	YEAR	grok formats
%{HOUR:([w.-]+)}	$1	(?:2[0123]¦[01]?[0-9])	HOUR	grok formats
%{MINUTE:([w.-]+)}	$1	(?:[0-5][0-9])	MINUTE	grok formats
%{SECOND:([w.-]+)}	$1	(?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?)	SECOND	grok formats
%{TIME:([w.-]+)}	$1	(?!<[0-9])(?:2[0123]¦[01]?[0-9]):(?:[0-5][0-9])(?:…	TIME	grok formats
%{DATE_US:([w.-]+)}	$1	(?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦…	DATE_US	grok formats
%{DATE_EU:([w.-]+)}	$1	(?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])[./-](…	DATE_EU	grok formats
%{ISO8601_TIMEZONE:([w.-]+)}	$1	(?:Z¦[+-](?:2[0123]¦[01]?[0-9])(?::?(?:[0-5][0-9])…	ISO8601_TIMEZONE	grok formats
%{ISO8601_SECOND:([w.-]+)}	$1	(?:(?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?)¦60)	ISO8601_SECOND	grok formats
%{TIMESTAMP_ISO8601:([w.-]+)}	$1	(?>\d\d){1,2}-(?:0?[1-9]¦1[0-2])-(?:(?:0[1-9])¦(?:…	TIMESTAMP_ISO8601	grok formats
%{DATE:([w.-]+)}	$1	(?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦…	DATE	grok formats
%{DATESTAMP:([w.-]+)}	$1	(?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦…	DATESTAMP	grok formats
%{TZ:([w.-]+)}	$1	(?:[PMCE][SD]T¦UTC)	TZ	grok formats
%{DATESTAMP_RFC822:([w.-]+)}	$1	(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…	DATESTAMP_RFC822	grok formats
%{DATESTAMP_RFC2822:([w.-]+)}	$1	(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…	DATESTAMP_RFC2822	grok formats
%{DATESTAMP_OTHER:([w.-]+)}	$1	(?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r…	DATESTAMP_OTHER	grok formats
%{DATESTAMP_EVENTLOG:([w.-]+)}	$1	(?>\d\d){1,2}(?:0[1-9]¦1[0-2])(?:(?:0[1-9])¦(?:[12…	DATESTAMP_EVENTLOG	grok formats
%{SYSLOGTIMESTAMP:([w.-]+)}	$1	(?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il…	SYSLOGTIMESTAMP	grok formats
%{PROG:([w.-]+)}	$1	(?:[\w._/%-]+)	PROG	grok formats
%{SYSLOGPROG:([w.-]+)}	$1	(?<program>(?:[\w._/%-]+))(?:\[(?<pid>(?:[1-9][0-…	SYSLOGPROG	grok formats
%{SYSLOGHOST:([w.-]+)}	$1	(?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A…	SYSLOGHOST	grok formats
%{SYSLOGFACILITY:([w.-]+)}	$1	<(?<facility>(?:[0-9]+)).(?<priority>(?:[0-9]+)…	SYSLOGFACILITY	grok formats
%{HTTPDATE:([w.-]+)}	$1	(?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])/(?:J…	HTTPDATE	grok formats
%{QS:([w.-]+)}	$1	(?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+…	QS	grok formats
%{LOGLEVEL:([w.-]+)}	$1	([Aa]lert¦ALERT¦[Tt]race¦TRACE¦[Dd]ebug¦DEBUG¦[Nn]…	LOGLEVEL	grok formats

---

1. ^{^} Misreference