Extract fields of Apache Web Log using PCRE Regex

Question

Using a PRCE Regex, I want to capture each field of different apache weblogs. The structure of these logs is like this example:

aaa bbb "cc c" ddd "eee" fff

Each field is seperated by a space. But fields may also contain spaces in which case they are held together by quotes at the beginning and the end of the field("cc c"). Fields not containing spaces my also have quotes at the beginning and the end of the field ("eee").

The result should have a capture group for each field so for the example that should be: Group1: aaa Group2: bbb Group3: "cc c" Group4: ddd Group5: "eee" Group6: fff

My problem is that I want a one-fits-all solution, e.g. witha a quantifier - something like this: (?:((aa|bb|"cc"|dd)\s){1,})

But here the quantifier always repeats at aaa .

A tidy, working solution is much appreciated.

Answer 1

I understand you're using PCRE, the question is what actual tool are you using to process the regex.

Assuming you use perl itself, let's study what a field is made up of ?

1. Starts with optional open double quote "
2. Any character not a double quote
3. A closing "

In regex the above expression looks like this:

"?[^"]+"?

You can then, optionally, quantify the above and specify how many columns you have:

("?[^"]+"?){1,6}

The above says allow 1 to 6 of such fields, the question just becomes how to apply/use the regex? That depends on the tool, in perl it could look like:

@groups = $apache_line =~ m/("?[^"]+"?)/g

From here $groups[0] would have aaa $group[1]: bbb ... $group[5]: fff

The above works because the m// operator is in list context