Need guidance in delimiter for regex

Question

Trying to send multiline Kafka log from RSYSLOG to FLuentd.

(?<date>\[.*?\]) (.*?) ((.|\n*)*)

But my regex is considering next timestamp pattern as a single line. Requirement is to stop before the next timestamp starts.

Wiktor Stribiżew · Accepted Answer · 2022-07-22T12:31:09.103

2

You can match all subsequent lines that start with either a TAB or a space char:

(?<date>\[[^][]*]) ([A-Z]+) (.*(?:\n(?!\[\d{4}-\d\d-\d\d).*)*)

Details

(?<date>\[[^][]*]) - Group "date": [, zero or more chars other than square brackets, ]
- space
([A-Z]+) - Group 2: one or more uppercase ASCII letters
- space
(.*(?:\n(?!\[\d{4}-\d\d-\d\d).*)*) - Group 3:
- .* - any zero or more chars other that line break chars as many as possible
- (?:\n(?!\[\d{4}-\d\d-\d\d).*)* - zero or more sequences of
  - \n(?!\[\d{4}-\d\d-\d\d) - a newline, LF, char not followed with [, four digis, -, two digits, -, two digits
  - .* - any zero or more chars other that line break chars as many as possible

edited Jul 22 '22 at 12:31

answered Jul 22 '22 at 11:44

Wiktor Stribiżew

[link] (https://regex101.com/r/xae1bi/1) If I just reverse the order of ERROR and INFO it doesn't work. Say, I have 3 blocks (error, info and error) then the regex won't work. Can you help on that regex? – Gautam Jul 22 '22 at 12:01
1

@gomzi007 Ok, what about excluding `[` at the start of a line? `(?\[.*?\]) (.*?) (.*(\n[^[\r\n].*)*)`? – Wiktor Stribiżew Jul 22 '22 at 12:04
1

@gomzi007 See also `(?\[[^][]*]) ([A-Z]+) (.*(?:\n(?!\[\d{4}-\d\d-\d\d).*)*)` – Wiktor Stribiżew Jul 22 '22 at 12:09
1

-(?\[[^][]*]) ([A-Z]+) (.*(?:\n(?!\[\d{4}-\d\d-\d\d).*)*) This looks perfect since the other regex was breaking into one extra group. Bow to you.. – Gautam Jul 22 '22 at 12:30

1 Answers1