Below are two logs statement that I want to parse. One is wrapped in JSON and other is in plain text. As
I have marked break_on_match as false, it goes through both pattern . For log statement , I am getting _jsonparsefailure as it is not in Json and every other field there are two entries like loglevel is having two INFO etc.
2017-08-08 17:34:04:527 INFO Login:? - TGT expires: Wed Aug 09 05:34:04 GMT 2017
2017-08-08 17:34:04:648 INFO ConnectionContainer:? - {"t":1502213644648,"ecid":"Unknown","h":"0ac94b160d0c","l":"INFO","cN":"com.apps.common.connection","mN":"getConnection","m":"Single Keytab Mode"}
I have marked break_on_match as false, it goes through both pattern
But that's not what you want to do. You want it to try two patterns and be satisfied with the first match. The first expression could match if the log message looks like JSON and begins and ends with braces, i.e. your two expressions could look like something like this:
The (?=...) and (?<=...) are zero-length lookahead and lookbehind assertions. Note the double quote in the expressions; make the whole string wrapped by single quotes instead of double quotes to avoid problems.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.