As part of XpoLog parsing language, users may apply a regular expression on another column in order to extract a specific value from that column.
Regular expressions language:
Characters
x The character x
\\ The backslash character
\0n The character with octal value 0n (0 <= n <= 7)
\0nn The character with octal value 0nn (0 <= n <= 7)
\0mnn The character with octal value 0mnn (0 <= m <= 3, 0 <= n <= 7)
\xhh The character with hexadecimal value 0xhh
\uhhhh The character with hexadecimal value 0xhhhh
\t The tab character ('\u0009')
\n The newline (line feed) character ('\u000A')
\r The carriage-return character ('\u000D')
\f The form-feed character ('\u000C')
\a The alert (bell) character ('\u0007')
\e The escape character ('\u001B')
\cx The control character corresponding to x
Character classes
[abc] a, b, or c (simple class)
[^abc] Any character except a, b, or c (negation)
[a-zA-Z] a through z or A through Z, inclusive (range)
[a-d[m-p]] a through d, or m through p: [a-dm-p] (union)
[a-z&&[def]] d, e, or f (intersection)
[a-z&&[^bc]] a through z, except for b and c: [ad-z] (subtraction)
[a-z&&[^m-p]] a through z, and not m through p: [a-lq-z](subtraction)
Predefined character classes
. Any character (may or may not match line terminators)
\d A digit: [0-9]
\D A non-digit: [^0-9]
\s A whitespace character: [ \t\n\x0B\f\r]
\S A non-whitespace character: [^\s]
\w A word character: [a-zA-Z_0-9]
\W A non-word character: [^\w]
POSIX character classes (US-ASCII only)
\p{Lower} A lower-case alphabetic character: [a-z]
\p{Upper} An upper-case alphabetic character:[A-Z]
\p{ASCII} All ASCII:[\x00-\x7F]
\p{Alpha} An alphabetic character:[\p{Lower}\p{Upper}]
\p{Digit} A decimal digit: [0-9]
\p{Alnum} An alphanumeric character:[\p{Alpha}\p{Digit}]
\p{Punct} Punctuation: One of !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
\p{Graph} A visible character: [\p{Alnum}\p{Punct}]
\p{Print} A printable character: [\p{Graph}]
\p{Blank} A space or a tab: [ \t]
\p{Cntrl} A control character: [\x00-\x1F\x7F]
\p{XDigit} A hexadecimal digit: [0-9a-fA-F]
\p{Space} A whitespace character: [ \t\n\x0B\f\r]
Classes for Unicode blocks and categories
\p{InGreek} A character in the Greek block (simple block)
\p{Lu} An uppercase letter (simple category)
\p{Sc} A currency symbol
\P{InGreek} Any character except one in the Greek block (negation)
[\p{L}&&[^\p{Lu}]] Any letter except an uppercase letter (subtraction)
Boundary matchers
^ The beginning of a line
$ The end of a line
\b A word boundary
\B A non-word boundary
\A The beginning of the input
\G The end of the previous match
\Z The end of the input but for the final terminator, if any
\z The end of the input
Greedy quantifiers
? any character, once or not at all
* any character, zero or more times
+ any character, one or more times
X{n} X, exactly n times
X{n,} X, at least n times
X{n,m} X, at least n but not more than m times
Reluctant quantifiers
?? any character, once or not at all
*? any character, zero or more times
+? any character, one or more times
X{n}? X, exactly n times
X{n,}? X, at least n times
X{n,m}? X, at least n but not more than m times
Possessive quantifiers
?+ any character, once or not at all
*+ any character, zero or more times
++ any character, one or more times
X{n}+ X, exactly n times
X{n,}+ X, at least n times
X{n,m}+ X, at least n but not more than m times
Logical operators
XY X followed by Y
X|Y Either X or Y
(X) X, as a capturing group
Back references
\n Whatever the nth capturing group matched
Quotation
\ Nothing, but quotes the following character
\Q Nothing, but quotes all characters until \E
\E Nothing, but ends quoting started by \Q
Special constructs (non-capturing)
(?:X) X, as a non-capturing group
(?idmsux-idmsux) Nothing, but turns match flags on - off
(?idmsux-idmsux:X) X, as a non-capturing group with the given flags on - off
(?=X) X, via zero-width positive lookahead
(?!X) X, via zero-width negative lookahead
(?<=X) X, via zero-width positive lookbehind
(? (?>X) X, as an independent, non-capturing group
--------------------------------------------------------------------------------
Backslashes, escapes, and quoting
The backslash character ('\') serves to introduce escaped constructs, as defined in the table above, as well as to quote characters that otherwise would be interpreted as unescaped constructs. Thus the expression \\ matches a single backslash and \{ matches a left brace.
It is an error to use a backslash prior to any alphabetic character that does not denote an escaped construct; these are reserved for future extensions to the regular-expression language. A backslash may be used prior to a non-alphabetic character regardless of whether that character is part of an unescaped construct.
Character Classes
Character classes may appear within other character classes, and may be composed by the union operator (implicit) and the intersection operator (&&). The union operator denotes a class that contains every character that is in at least one of its operand classes. The intersection operator denotes a class that contains every character that is in both of its operand classes.
The precedence of character-class operators is as follows, from highest to lowest:
1 Literal escape \x
2 Grouping [...]
3 Range a-z
4 Union [a-e][i-u]
5 Intersection [a-z&&[aeiou]]
Note that a different set of metacharacters are in effect inside a character class than outside a character class. For instance, the regular expression . loses its special meaning inside a character class, while the expression - becomes a range forming metacharacter.
Line terminators
A line terminator is a one- or two-character sequence that marks the end of a line of the input character sequence. The following are recognized as line terminators:
A newline (line feed) character ('\n'),
A carriage-return character followed immediately by a newline character ("\r\n"),
A standalone carriage-return character ('\r'),
A next-line character ('\u0085'),
A line-separator character ('\u2028'), or
A paragraph-separator character ('\u2029).
If UNIX_LINES mode is activated, then the only line terminators recognized are newline characters.
The regular expression . matches any character except a line terminator unless the DOTALL flag is specified.
By default, the regular expressions ^ and $ ignore line terminators and only match at the beginning and the end, respectively, of the entire input sequence. If MULTILINE mode is activated then ^ matches at the beginning of input and after any line terminator except at the end of input. When in MULTILINE mode $ matches just before a line terminator or the end of the input sequence.
For a more precise description of the behavior of regular expression constructs, please see Mastering Regular Expressions, 2nd Edition, Jeffrey E. F. Friedl, O'Reilly and Associates, 2002.
Syntax:
regexp - a regular expression, used to extract part of the data from another column will be extracted out of the value in the source column
{regexp,refIndex=index | refName=column_name;columnType=date/timestamp/number;multiLine=true/false,(regular_expression_to_extract)} | refIndex/refName (mandatory): the zero-based index of the source column / the name of the source column columnType (mandatory for date/timestamp only):
multiLine (optional): indicates whether the record spreads over more than one line |
Examples:
Log Events Example | XpoLog Pattern | What will be extracted by the Regular Expression |
---|---|---|
Mon Jul 10 04:33:51 2006 ALTER DATABASE ADD LOGFILE THREAD 2 GROUP 3 ('/oradata/PROD/redo.log') SIZE 200K, GROUP 4 ('/oradata/PROD/redo.log') SIZE 200K ORA-336 signalled during: ALTER DATABASE ADD LOGFILE THREAD 2 GROUP 3 ('/oradata/PROD/redo.log') SIZE 200K, GROUP 4 ('/oradata/PROD/redo.log') SIZE 200K... | {date:Date,EEE MMM dd HH:mm:ss yyyy}{regexp:Error Code,refName=Message,(ORA-\d+)}{string:Message} | ORA-336 will be extracted to a unique column |
Log Message: Error in Application at <2014-05-05 12:00:00.000> | {text:type}:{string:Message}{regexp:Date,refName=Message;columnType=date;dateFormat=yyyy-MM-dd HH:mm:ss.SSS,<(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\.\d\d\d)>} | 2014-05-05 12:00:00.000 will be extracted to a unique column of type date |
Log Message: Error in Application at <1399291200000> | {text:type}:{string:Message}{regexp:Timestamp,refName=Message;columnType=timestamp;dateFormat=yyyy-MM-dd HH:mm:ss.SSS,<(\d+)>} | 2014-05-05 12:00:00.000 will be extracted to a unique column of type date (which is a translation of the timestamp 1399291200000) |
2014-05-05 12:00:00.000 ERROR Failed to run application, x=1 2014-05-05 12:00:00.000 ERROR Failed to run application, y=2 2014-05-05 12:00:00.000 ERROR Failed to run application, z=3 | {date,yyyy-MM-dd HH:mm:ss.SSS} {text:Priority} {string:Message}{regexp:Error-Code,refName=Message,((x=)|(y=)|(z=))(\s*)[XPLG_PARAM(\d+)]} | This regular expression looks for numbers either after 'x=' / 'y=' / 'z=' and will extract the result under a unique column |
2014-05-05 12:00:00.000 ERROR Invalid Processing Time: 875ms | {date,yyyy-MM-dd HH:mm:ss.SSS} {text:Priority} {string:Message}{regexp:Processing-Time,refName=Message;columnType=number,Processing Time: (\d+)} | 875 will be extracted to a unique column of type number |