2
responses

I have the following regexp:

^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[\S+\])\s+([\s\S]*)$

and a line from the log that I am trying to parse (there are some spaces at the beginning of the line):

 13:33:00.1205 [-] Persisting VDOM path /

trying to process a file using pm_pattern module with LogLevel DEBUG this is what I get:

2016-11-16 13:38:00 DEBUG regexp '^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*)$' did not match against '  13:38:00.1857 [-] Persisting VDOM path /'

Part of the xml file used to process the input:

<pattern>
    <id>1</id>
    <name>log_line</name>
    <description>Regular log line</description>
    <matchfield>
        <name>raw_event</name>
        <type>regexp</type>
        <value>^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*)$</value>                        
        <capturedfield>
            <name>EventTime</name>
            <type>string</type>
        </capturedfield>
        <capturedfield>
            <name>SourceName</name>
            <type>string</type>
        </capturedfield>
        <capturedfield>
            <name>Message</name>
            <type>string</type>
        </capturedfield>
    </matchfield>
</pattern>

What is wrong with my expression? 

 

AskedNovember 16, 2016 - 11:17am

Answer (1)

This one works:

^\s+(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[\S+\])\s+(.*)$

Of course it is a better one overall, however none of the online regular expression tools (regexr.com or others) do not complain on the original one. Maybe it would be beneficial to somehow document regular expression dialect used in nxlog?

Best,

Tomasz

Comments (1)

  • b0ti's picture
    (NXLog)

    NXLog uses the pcre engine for regular expressions. Most online regexp checkers use Javascript so there are some differences.

    Note that your regexp has the following:

    ^\s*(\d{2}:\d{2}:\d{2}\.\d{4})\s+(\[S+\])s+([\s\S]*

    I believe this should be \S+