logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" "%Ss:%Sh" "%{X-Forwarded-For}>h"

192.168.1.4 - - [30/May/2017:03:47:01 +0900] "CONNECT shavar.services.mozilla.com:443 HTTP/1.1" 200 3396 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0" "TCP_TUNNEL:HIER_DIRECT" "-"

^([\d.]+) (-) (-) (\[\w.+\]) (?:")(\w.+) (\w.+) (\w.+)(?:") (\d+) (\d+) (?:")(-)(?:") (?:")(.+)(?:") (?:")(.+)(?::)(.+)(?:") (?:")(-)(?:")

1.	192.168.1.4
2.	-
3.	-
4.	[30/May/2017:03:47:01 +0900]
5.	CONNECT
6.	shavar.services.mozilla.com:443
7.	HTTP/1.1
8.	200
9.	3396
10.	-
11.	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
12.	TCP_TUNNEL
13.	HIER_DIRECT
14.	-

^(?<src_ip>[\d.]+) (?<user_name_ident>-) (?<user_name>-) (?<local_time>\[\w.+\]) (?:")(?<request_method>\w.+) (?<request_url>\w.+) (?<request_protocol_version>\w.+)(?:") (?<status_code>\d+) (?<total_size_of_request>\d+) (?:")(?<referer>-)(?:") (?:")(?<user_agent>.+)(?:") (?:")(?<squid_request_status>.+)(?::)(?<squid_hierarchy_status>.+)(?:") (?:")(?<x_forwarded_for>-)(?:")

<source> 
  type tail 
  path /var/log/foo/bar.log 
  pos_file /var/log/td-agent/foo-bar.log.pos 
  tag foo.bar 
  format /^(?<src_ip>[\d.]+) (?<user_name_ident>-) (?<user_name>-) (?<local_time>\[\w.+\]) (?:")(?<request_method>\w.+) (?<request_url>\w.+) (?<request_protocol_version>\w.+)(?:") (?<status_code>\d+) (?<total_size_of_request>\d+) (?:")(?<referer>-)(?:") (?:")(?<user_agent>.+)(?:") (?:")(?<squid_request_status>.+)(?::)(?<squid_hierarchy_status>.+)(?:") (?:")(?<x_forwarded_for>-)(?:")/ 
</source>