1

I need to create a regex expression for fluent bit This is what I tried

^(?<log_time>[0-9-]+ [:0-9,]+)\s+\s+(?<severity>\w+)\s+-\s+(?<message>.*)

Input is 2022-07-20 15:21:31,994 - INFO - Moving to Dashboard

Desired output:

    log_time:  2022-07-20 15:21:31,994
    severity:  INFO
    message:   Moving to Dashboard

How can I achieve this? (at some point I am getting the log_time before milliseconds but that's not enough) Help would be appreciated. Thank you

Ramzan Mahmood
  • 1,881
  • 2
  • 21
  • 46
  • 1
    Try `^(?[0-9-]+ [:0-9,]+)\s+-\s+(?\w+)\s+-\s+(?.*)` ([demo](https://regex101.com/r/QDPqYB/1)) – Wiktor Stribiżew Jul 22 '22 at 14:48
  • Your pattern tries to match characters that are not there, like the starting `[` and the `T` – The fourth bird Jul 22 '22 at 14:48
  • Thank you @WiktorStribiżew, appreciated, Can you please share any best cheat sheet to learn regex. – Ramzan Mahmood Jul 22 '22 at 14:51
  • 1
    Here are lessons at [regexone.com](http://regexone.com/), you can also read through [regular-expressions.info](http://www.regular-expressions.info), [regex SO tag description](http://stackoverflow.com/tags/regex/info) (with many other links to great online resources), and the community SO post called [What does the regex mean](http://stackoverflow.com/questions/22937618/reference-what-does-this-regex-mean). Also, [rexegg.com](http://rexegg.com) is worth having a look at. – Wiktor Stribiżew Jul 22 '22 at 14:57
  • If i change the event to this type `2022-07-20 15:21:40,345 [I]: brc.py:118 - Moving to FLB ` i tried making expression this way `^(?[0-9-]+ [:0-9,]+)\s+(?[\w+)+]:\s+(?[\w]+[.0-9,]+[:\w]+)\s+-\s+(?.*)` here the only issue i can see is the with `[I]` can you please have a look and i guess it can be improved as well. @WiktorStribiżew – Ramzan Mahmood Jul 22 '22 at 15:40
  • 1
    See https://regex101.com/r/QDPqYB/2 – Wiktor Stribiżew Jul 22 '22 at 19:18

1 Answers1

1

You can use

^(?<log_time>[0-9-]+ [:0-9,]+)\s+-\s+(?<severity>\w+)\s+-\s+(?<message>.*)

See the regex demo. Details:

  • ^ - start of string
  • (?<log_time>[0-9-]+ [:0-9,]+) - Log time: one or more digits or -, then a space, and then one or more colons, digit or commas
  • \s+-\s+ - a hyphen wrapped with one or more whitespaces
  • (?<severity>\w+) - Severity: one or more word chars
  • \s+-\s+ - a hyphen wrapped with one or more whitespaces
  • (?<message>.*) - Message: any zero or more chars other than line break chars as many as possible (no need of $)
Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563