Regular expression issue within pm_pattern

#1 PlkMarudny 7 years ago

I have the following regexp:

^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[\S+\])\s+([\s\S]*)$

and a line from the log that I am trying to parse (there are some spaces at the beginning of the line):

13:33:00.1205 [-] Persisting VDOM path /

trying to process a file using pm_pattern module with LogLevel DEBUG this is what I get:

2016-11-16 13:38:00 DEBUG regexp '^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*)$' did not match against ' 13:38:00.1857 [-] Persisting VDOM path /'

Part of the xml file used to process the input:

<pattern>
   <id>1</id>
   <name>log_line</name>
   <description>Regular log line</description>
   <matchfield>
       <name>raw_event</name>
       <type>regexp</type>
       <value>^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*)$</value>
       <capturedfield>
           <name>EventTime</name>
           <type>string</type>
       </capturedfield>
       <capturedfield>
           <name>SourceName</name>
           <type>string</type>
       </capturedfield>
       <capturedfield>
           <name>Message</name>
           <type>string</type>
       </capturedfield>
   </matchfield>
</pattern>

What is wrong with my expression?

Permalink

#2 PlkMarudny 7 years ago (Last updated 7 years ago )

#1 PlkMarudny

I have the following regexp: ^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[\S+\])\s+([\s\S]*)$ and a line from the log that I am trying to parse (there are some spaces at the beginning of the line): 13:33:00.1205 [-] Persisting VDOM path / trying to process a file using pm_pattern module with LogLevel DEBUG this is what I get: 2016-11-16 13:38:00 DEBUG regexp '^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*)$' did not match against ' 13:38:00.1857 [-] Persisting VDOM path /' Part of the xml file used to process the input: <pattern> <id>1</id> <name>log_line</name> <description>Regular log line</description> <matchfield> <name>raw_event</name> <type>regexp</type> <value>^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*)$</value> <capturedfield> <name>EventTime</name> <type>string</type> </capturedfield> <capturedfield> <name>SourceName</name> <type>string</type> </capturedfield> <capturedfield> <name>Message</name> <type>string</type> </capturedfield> </matchfield> </pattern> What is wrong with my expression?

This one works:

^\s+(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[\S+\])\s+(.*)$

Of course it is a better one overall, however none of the online regular expression tools (regexr.com or others) do not complain on the original one. Maybe it would be beneficial to somehow document regular expression dialect used in nxlog?

Best,

Tomasz