Regex pattern to parse HttpLog format

Question

I am looking for a regex pattern matcher for a String in HttpLogFormat. The log is generated by haproxy. Below is a sample String in this format.

Feb 6 12:14:14 localhost haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} {} "GET /index.html HTTP/1.1"

An explanation of the format is available at HttpLogFormat. Any help is appreciated.

I am trying to get the individual peices of information included in that line. Here are the fields:

process_name '[' pid ']:'
client_ip ':' client_port
'[' accept_date ']'
frontend_name
backend_name '/' server_name
Tq '/' Tw '/' Tc '/' Tr '/' Tt*
status_code
bytes_read
captured_request_cookie
captured_response_cookie
termination_state
actconn '/' feconn '/' beconn '/' srv_conn '/' retries
srv_queue '/' backend_queue
'{' captured_request_headers* '}'
'{' captured_response_headers* '}'
'"' http_request '"'

What are you trying to parse from this line? It's one thing to match it, it's another thing to get particular pieces of information from it. — eldarerathis, Oct 29 '10 at 20:00
It really depends on what you want to match. All of the information, or only part of it? — jordanbtucker, Oct 29 '10 at 20:01
sorry guys .. just took me a while to add those 16 lines. HAproxy generates the log in this format. I just want to parse the data efficiently. There is a detailed explanation of the format on the HttpLogFormat link posted in the question. — Thimmayya, Oct 29 '10 at 20:07

Mike Clark · Accepted Answer · 2010-10-30T01:46:59.397

Regex:

^(\w+ \d+ \S+) (\S+) (\S+)\[(\d+)\]: (\S+):(\d+) \[(\S+)\] (\S+) (\S+)/(\S+) (\S+) (\S+) (\S+) *(\S+) (\S+) (\S+) (\S+) (\S+) \{([^}]*)\} \{([^}]*)\} "(\S+) ([^"]+) (\S+)" *$

Results:

Group 1:    Feb 6 12:14:14
Group 2:    localhost
Group 3:    haproxy
Group 4:    14389
Group 5:    10.0.1.2
Group 6:    33317
Group 7:    06/Feb/2009:12:14:14.655
Group 8:    http-in
Group 9:    static
Group 10:   srv1
Group 11:   10/0/30/69/109
Group 12:   200
Group 13:   2750
Group 14:   -
Group 15:   -
Group 16:   ----
Group 17:   1/1/1/1/0
Group 18:   0/0
Group 19:   1wt.eu
Group 20:   
Group 21:   GET
Group 22:   /index.html
Group 23:   HTTP/1.1

I use RegexBuddy for composing complex regular expressions.

Thanks.. this worked pretty well. just needed a few tweaks to handle some custom scenarios. — Thimmayya, Nov 04 '10 at 22:40

eldarerathis · Answer 2 · 2010-10-29T20:33:47.407

Use at your own peril.

This assumes that all fields return something except for the ones you have marked with asterisks (is that what the asterisk means)? There are also obvious failure cases such as nested brackets of any kind, but if the logger prints reasonably sane messages, then I guess you'd be okay...

Of course, even I personally wouldn't want to have to maintain this, but there you have it. You might want to consider writing a regular ol' parser for this instead, if you can.

Edit: Marked this as CW since it's more of a "I wonder how this will turn out" kind of answer than anything else. For quick reference, this is what I ended up constructing in rubular:

^[^[]+\s+(\w+)\[(\d+)\]:([^:]+):(\d+)\s+\[([^\]]+)\]\s+[^\s]+\s+(\w+)\/(\w+)\s+(\d+)\/(\d+)\/(\d+)\/(\d+)\/(\d*)\s+(\d+)\s+(\d+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s(\d+)\/(\d+)\/(\d+)\/(\d+)\/(\d+)\s+(\d+)\/(\d+)\s+\{([^}]*)\}\s\{([^}]*)\}\s+\"([^"]+)\"$

My first programming language was Perl, and even I'm willing to admit that I'm frightened by that.

+1 just for putting that nasty thing out! I'll try it out and update how it goes. — Thimmayya, Oct 29 '10 at 20:46
Thanks for the solution. It works okay for the most part. Mike's solution above works better and the regex is simpler and more flexible. I used rubular to tweak the regex and it is a nice tool. — Thimmayya, Nov 04 '10 at 22:39

score 1 · Answer 3 · answered Oct 29 '10 at 20:07

That looks like a very complicated string to match on. I would recommend using a tool like Expresso. Start with the string you are trying to match then start replacing pieces of it with Regex notation.

To grab individual pieces, use grouping parentheses.

The other option would be to make a regex for each piece you are trying to grab.

score 1 · Answer 4 · answered Oct 29 '10 at 21:39

Why are you trying to match the line precisely ? If you're looking for specific fields in it, better specify which ones and extract them. If you want to run statisticts on haproxy logs, you should take a look at the "halog" tool in the "contrib" directory in the sources. Take the one from version 1.4.9, it even knows how to sort URLs by response time.

But whatever you want to do with those lines, regex will probably always be the slowest and most complex solution.

score 0 · Answer 5 · edited Apr 13 '17 at 12:13

0

I don't think regex is your best option here...however, if it's your ONLY option...

Try looking at these options instead. https://serverfault.com/q/62687/438

edited Apr 13 '17 at 12:13

Community

1
1

answered Oct 29 '10 at 20:26

Keng

52,011
32
81
111

what other options do you suggest? – Thimmayya Oct 29 '10 at 20:48

Regex pattern to parse HttpLog format

5 Answers5