Required robust regex to fetch the last value of t...

muthvin · ‎01-16-2016

Hi,
I need a regex which will fetch the last value of log events ends with [abcd].
Currently the challenge i'm facing here is my log events.
Here the sample log has 2 lines , next will have 4 lines, next 10 lines and so on...
I need a robust regex which will fetch the last value here the value is 4.

My initial regex : ^(?:[^[\n]*[){4}(?P<test>[^]]+)

Sample log event :
2016-01-13 05:39:12.413Z [Rabbit listener thread] [finance] INFO [c.t.events.EventDemultiplexer] finance event demultiplexer completed event processing [LB-g6yp6980-j4as-w1sc-nhc4-n9gnryla8s7o]

Kindly help!

tgow · ‎01-16-2016

I wasn't sure exactly which 4 you meant. This gets the 4 of nhc4. \s+\[\w+-[^-]+[^-]+-[^-]+-[^-]+-\w{3}(?[^-]+)[^\n]+$

acharlieh · ‎01-16-2016

Either anchor your regex to the end with$ instead of the beginning, and get the last bracketed string (also likely no need for repetition, but that's a function of what you need to validate in extracting), or depending on your use case you could remove the anchor and repetition completely and extract all bracketed strings into a multi-valued field (rex command use max_match=0 or in transforms.conf check out MV_ADD) then using multivalue eval functions pull out the last value.

Required robust regex to fetch the last value of the log events.

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update