search

logstash-plugins / logstash-filter-grok

Grok plugin to parse unstructured (log) data into something structured.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
Apache License 2.0
124 stars 98 forks source link

"?:" meaning in grok #42

Closed rakesh91 closed 9 years ago

rakesh91 commented 9 years ago

Hi, "?:" does this have the same meaning as in regex or grok has special meaning? I found in logstash grok base pattern apache has

"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"

what does "?:" mean here? I needed it to parse some custom apache logs and wanted to know "?:" importance.

jordansissel commented 9 years ago

The ?: has no meaning by itself in this case, but is specific to (?:some pattern here) and means "non capturing group. It's a way for the regex-writer (human?) to tell the regex engine not to capture the grouping.

Contrasted with (some pattern) which is always captured for use after the match is completed.

The ?: here isn't matching any text but just saying "this group is not to be captured". It's a kind of optimization hint to the regex engine that we won't be asking for the contents of this group's match after the execution is done.

It matches a typical Apache default log format, like: "GET /somepage HTTP/1.1"

Hope this helps :)

jordansissel commented 9 years ago

If you have any other questions like this, I invite you to ask them on https://discuss.elastic.co/. I hope you find I answered your question, and I will close this ticket now :)