Wich regex is used for mtail

[Petar Kozic]

Please,

can someone tell me some online regex tester for mtail test.

Every tester I found is for Java or PCRE and no one have this type of regex.

Thank you.

[Jamie Wilkinson]

The regular expression parser is from Go: https://golang.org/pkg/regexp/

I just found this first hit on Google for "golang regexp tester" https://regex-golang.appspot.com/assets/html/index.html

What sort of testing are you trying to do?

--
You received this message because you are subscribed to the Google Groups "mtail-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mtail-users+unsubscribe@googlegroups.com.
To post to this group, send email to mtail...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mtail-users/0875fe87-fc02-4cc3-881d-2ee6c52021b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Petar Kozic]

 I try but I without success.

I need to regex this log and count number of line by word LOCALRELAY and user.

May 21 23:49:26 server1 lfd[265961]: *Exceeded LOCALRELAY limit* from some_user (101 in the last hour)

I was create whole regex:

\w{3} \d{2} \d{2}:\d{2}:\d{2} \w{2} lfd\W\S* \S* LOCALRELAY \S* from \S* ([[:print:]]+)

and I wrote mtail file, without kiding please :) this is my first mtail:

counter localrelay_hit by localrelay, user

/^/ +

/(?P<timestamp>\w{3}/\d{2}/\d{2}:\d{2}:\d{2}) / +

/(?P<server>\w{2}) / +

/(?P<log>lfd\W\S*) / +

/(?P<status>\S*) / +

/(?P<localrelay>LOCALRELAY) / +

/(?P<limit>\S*) / +

/(?P<from>from) / +

/(?P<user>\S*) / +

/(?P<numberofmail>([[:print:]]+)) / +

/$/ {

localrelay_hit[$localrelay][$user]++

}

Thank you in advanced

[Jamie Wilkinson]

My advice is to only write the expression that matches what you need.

You want to match lines that have the word LOCALRELAY in them, so do just that:

counter localrelay_hit

/LOCALRELAY/ {

  localrelay_hit ++

}

And see how that goes.

I see you want to match user, too, so put that in the regexp:

counter localrelay_hit by user

/LOCALRELAY \w+\* from (\w+)/ {

  locarelay_hit[$1]++

}

I am deliberately being vague with the rest of the match, but having just written that I think your \S* after LOCALRELAY is not correct.

Try the regex-golang website!  You should be able to get your expression to match the line you pasted.

I just played around a bit there and ended up with ->

   .*\*Exceeded LOCALRELAY limit\* from (?P<user>\w+)

in the regular expression field,and your log line in the text to match, and saw the user field in the results.

You also have localrelay as a dimension on the metric, but you only ever match the string LOCALRELAY.  Is that intentional? If not, then don't record it.

BTW your first mtail is pretty good, looks like you understand the syntax already!

There is a regression test called 'ex_test.go' in the source that runs mtail on some log examples and checks the output is as expected.  You could try to use that to test your program; but also there's some flags to mtail to help with this too, e.g. --one_shot which should simulate running mtail against your log input which you can use to validate it.

Thanks for the email.  If there's anything that gets in your way as you try to test your program, please let me know.

[Petar Kozic]

Awesome, thanks!