I've been asked to ingest some JSON logs for auditing purposes but I can't get the event breaking right. I'm pretty good with regex but this one is stumping me. The regex shouldn't need to be complicated!
Here's a snippet from the log. I've truncated the content field with "..." as the content field can be quite large.
{
"_id" : "4befb832-6d00-44d6-8001-f4445a752a6f",
"_t" : ["AuditEvent", "RequestEvent"],
"AppId" : null,
"UserId" : null,
"Timestamp" : "2016-03-02T16:09:42.354Z",
"RequestEventType" : 0,
"RequestEventStatus" : 0,
"Content" : "Email.AddToQueue::xxx@xxx.com::True::<?xml version=\"1.0\"..."
}, {
"_id" : "98dde3f0-f87a-49f5-822a-35862cc9ebfe",
"_t" : ["AuditEvent", "CoopImportExportEvent"],
"AppId" : "14f1d3b7-2bae-488c-8004-818adf991204",
"Timestamp" : "2016-03-02T16:13:05.999Z",
"UserAction" : 0,
"UserActionTxt" : "DeleteAdhocLayer",
"Notes" : "Adhoc layer: Import Regression Test - deleted ",
"UserId" : "00000000-0000-0000-0000-000000000000",
"UserName" : "xxx@xxx.com"
}
I started with the simplest match which should achieve what I need i.e. BREAK_ONLY_BEFORE=\} and also without the escaping slash as I believe in PCRE it shouldn't be needed.
Then tried increasing the regex pattern adding comma, space etc. followed by \"_id\" and other variations. I've been messing around with MUST_BREAK_AFTER and BREAK_ONLY_BEFORE but I can't even get a partial match. Really not sure what's going on with this one.
Any ideas?
... View more