Regex Query Not Working

Maxwell_Flanders · December 9, 2016, 3:45am

I'm trying to write a regex query for a log that I know exists, and I was wondering if anyone could help me figure out why it is not functioning ( I am 99.999% sure that the regex is correct.)

Normal Query (to prove log exists):
LOG_MESSAGE: "Event type"

Result:

Regex Query:
LOG_MESSAGE: /Event\stype:\s.*\ssize:\s[0-9]{3,}/

Returns no result.

I have checked the string in the lower logs for leading/trailing whitespace and there are none, so as far as I can tell, this regex should match the later logs at least. Am I missing something in the syntax here? I have no idea what could be going on here.

Thanks!

Joe_Fleming · December 9, 2016, 5:36pm

type != Type

You'll need to make the regexp case insensitive by adding an i at the end. Try using:

LOG_MESSAGE: /Event\stype:\s.*\ssize:\s[0-9]{3,}/i

Maxwell_Flanders · December 10, 2016, 4:32pm

It should still match the lower documents though

Joe_Fleming · December 12, 2016, 5:18pm

Hrm, yeah, I missed the case on the later records. You're right, it should match that. I don't see anything wrong with the regexp in that case.

Believe it or not, the problem may actually be the space between the field name and the regexp.

Try LOG_MESSAGE:/Event\stype:\s.*\ssize:\s[0-9]{3,}/i

system · January 9, 2017, 5:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.