I am trying to pull specific lines from a log file. I have a format that is repeated and I have a regex that is pulling the info from those lines. My problem is that there are 3 lines that have the same format. I need a way to pull each line separately. The REGEX I am using for the field extraction looks like this:
(?i)^(?:[^:]*:){3}(?P[log_error].+)
The regex works but it is pulling lines that have LOG ERROR, LOG INFO and LOG EXCEPTION. The logs look like this:
LOG ERROR:6/6/2014 3:37 PM:
LOG INFO:6/6/2014 3:37 PM:
LOG EXCEPTION:6/6/2014 3:37 PM:
I have tried putting text into the REGEX for each line but I must be inputting something incorrectly. My goal is to create three field extractions (logerror, loginfo and logexcept). I know I just need to add a simple text match to the REGEX but I cannot figure out what I am doing wrong.
I recommend:
(?i)^LOG\s*(?P<log_info>[^:]*):(?P<log_date>[^:]*)
as an automatic field extraction if the events are separated. Otherwise you need to fix the indexing so that the events are separated.
Give this a try
Your base search | rex "(?i)^LOG (INFO(?:[^:]*:){3}(?P<loginfo>.+)|ERROR(?:[^:]*:){3}(?P<logerror>.+)|EXCEPTION(?:[^:]*:){3}(?P<logexcept>.+))"