Log Insight allows for powerful and complex java-based regular expression queries. The Log Insight documentation briefly touches on regular expression examples. I would like to dig a little deeper. In this post, I would like to talk about all of the different regular expressions that are possible using Log Insight and give a few examples as well.
Characters
- \ = escapes a special character
- \b = word boundary
- \B = not a word boundary
- \d = one digit
- \D = one non-digit
- \n = new line
- \r = return character
- \s = one space
- \S = one character that is not a white space
- \t = tab
- \w = one alphanumeric or underscore character
- \W = one non alphanumeric or underscore character
Examples: 1234-5678
- \d = 1
- \d+ = 1234
- \w+ = 1234
- \S+ = 1234-5678
Quantifiers
- . = any one character except new line
- * = zero or more characters as long as possible
- ? = zero or one character OR as short as possible
- + = one or more
- {<n>} = exactly <n> times
- {<n>,<m>} = <n> to <m> times
Examples: aaaaa
- . = a
- .* = aaaaa
- .*? = aaaaa
- .{1} = a
- .{1,2} = aa
Combinations
- .* = anything
- .*? anything as short as possible before
Examples: a b 3 hi d hi
- a .* hi = b 3 hi d
- a .*? hi = b 3
Logic
- ^ = beginning of a line OR not if in brackets
- $ = end of a line
- () = encapsulation
- [] = one character in brackets
- | = or
- – = range
- \A = beginning of a string
- \Z = end of a string
Examples:
- (hello)? = either contains hello OR does not contain hello
- (a|b|c) = a OR b OR c
- [a-cp] = a OR b OR c OR p
- world$ = ends with world followed by nothing else
Lookahead
- (?= = positive lookahead (does not contain)
- (?! = negative lookahead (does not contain)
Examples:
- is (?=\w+)\w{2} primary = is FT primary? false
- opid=(?!WFU-1fecf8f9)\S+ = WFU-3c9bb994
© 2014, Steve Flanders. All rights reserved.
Thanks Steven. Very useful. I’m trying to search for any word that ends with XYZ. The log entries consist of entries that has string such as 1XYZ, 1234XYZ, abcdefXYZ. Basically, there is a range of characters that ends with XYZ. How do I do that?
I used XYZ$ and it’s not working.
I tried ….XYZ or .XYZ and it’s not showing up result.
Thanks! You would need to construct a regex that matches the keyword you are searching for. This means you need to add a filter for text matches regex \S+XYZ Note that such a query is not efficient and may cause performance issues. You should add complete keywords to the search bar to optimize this query. I hope this helps!
hi, steve, thats a wonderful work this has really solved many of my issues. Currently i am trying to highlight some of the information which shows simply plain in the alert and the end user really have to look for it. like i have a large number of phones deployed and i have configured an alert for registered and un-registered so when the support team gets the alert it contains about more than 10 phones if outage occurs and they need to search the whole alert for the room number which is given under the phone description. is there any way that i can seperate some of the information and add to the alert itself like Device Description or Name or IP. your help would be greatly appriciated
Hey Ali — I am glad you are finding value in the posts! To solve your issue, have a look at this post: https://sflanders.net/2014/09/29/log-insight-alerts-email-returned-results/. In short, you can group by the field you want displayed in the alert. I hope this helps!