Regex Pattern Help for Logs - Overclock.net - An Overclocking Community

Forum Jump: 

Regex Pattern Help for Logs

 
Thread Tools
post #1 of 3 (permalink) Old 07-06-2016, 03:57 PM - Thread Starter
New to Overclock.net
 
Buster's Avatar
 
Join Date: Sep 2004
Posts: 1,519
Rep: 4 (Unique: 4)
Hi,

I am trying to create a regex pattern to capture the different fields from logs.

Sample log entries:
2016-07-06 19:09:15,408 UTC WARN [] () [de.hybris.platform.acceleratorcms.context.ContextInformationLoader] Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!

2016-07-06 19:09:15,408 UTC WARN [[33.33.333.333] ] () [de.hybris.platform.acceleratorcms.context.ContextInformationLoader] Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!

2016-07-06 19:09:15,408 UTC WARN [[33.33.333.333] [33.33.333.333] ] () [de.hybris.platform.acceleratorcms.context.ContextInformationLoader] Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!

2016-07-06 19:09:15,408 UTC WARN [[33.33.333.333] [33.33.333.333] [33.33.333.333] or more ] () [de.hybris.platform.acceleratorcms.context.ContextInformationLoader] Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!

I have gotten this far: http://rubular.com/r/RWhUNnRjQj.

I need to capture all the IPs only within the [], the java class only, de.hybris.platform.acceleratorcms.context.ContextInformationLoader, within the [], and the rest of the message only, Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!.

The capture should be something like so:
1. 2016-07-06 19:09:15,408 UTC
2. WARN
3. 33.33.333.333
4. 33.33.333.333
5. de.hybris.platform.acceleratorcms.context.ContextInformationLoader
6. Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!

Please help. Thanks.

Buster is offline  
Sponsored Links
Advertisement
 
post #2 of 3 (permalink) Old 07-06-2016, 04:30 PM
New to Overclock.net
 
mykah89's Avatar
 
Join Date: May 2010
Location: Buffalo, NY
Posts: 346
Rep: 39 (Unique: 28)
^(.*\d UTC) (.*?) \[(.*)\].*?\(\) \[(.*?)\] (.*?!)$

global and multiline flags

Gets you most of the way there i think, you will probably need to do further processing on the ip string as a match group regardless.

https://regex101.com/

mykah89 is offline  
post #3 of 3 (permalink) Old 07-19-2016, 04:02 AM
New to Overclock.net
 
stolemyowncar's Avatar
 
Join Date: Sep 2013
Posts: 150
Rep: 20 (Unique: 17)
Well this is kind of late, but one thing to remember is that you always have split available as well. You don't just have to do straight regex and capture groups, as inclined as I usually am towards that solution. Depending on the setup of the data, just keep in mind that regex isn't always the answer. Sometimes it's like hitting a small nail with a sledgehammer.

ie, in Javascript:
Code:
var str='2016-07-06 19:09:15,408 UTC WARN [[33.33.333.333] [33.33.333.333] ] () [de.hybris.platform.acceleratorcms.context.ContextInformationLoader] Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!';
var arr=str.split(/[\[\]]\s*/).filter(function(v) 
{
    return v!==''&&!v.match(/\(\)\s*/)
});
console.log(arr);

Will give you
Code:
["2016-07-06 19:09:15,408 UTC WARN ", "33.33.333.333", "33.33.333.333", "de.hybris.platform.acceleratorcms.context.ContextInformationLoader", "Cannot find CMSSite associated with current URL (http://example.somewhere.local/favicon.ico)!"]

Unfortunately the indices of the matches will be ambiguous thanks to the ip addresses, but they would be in most regex solutions as well. You would have to use something like perl grammar for more clarity:
http://search.cpan.org/~dconway/Regexp-Grammars-1.045/lib/Regexp/Grammars.pm

But honestly this is more trouble than it is worth. It would be easier to just do postprocessing on the array to prune out the ip addresses.
stolemyowncar is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off