Search code examples
regexlinuxbashposixnagios

Unable to apply negative lookahead assertion to nagios plugin output on bash

The following regex works (tried PCRE/PHP flavor of regex via regex101.com) to match lines not containing the codes 201 and 204 in the given log file -

Regex

/^(?!.*HTTP\/1.1\"\s*(201|204)).*$/gm

Sample log file

127.0.0.1 - - [20/Oct/2016:11:35:08 +0000]  "GET //fam/shared_generate_LDA_compliant.php HTTP/1.1" 200 171 "-" "curl/7.40.0" - 0.002
127.0.0.1 - - [20/Oct/2016:11:35:34 +0000]  "GET /fam/update_daily_cap_in_memcache_contents.php HTTP/1.1" 200 64 "-" "curl/7.40.0" - 2.032
127.0.0.1 - - [20/Oct/2016:11:36:01 +0000]  "GET //fam/audience_pixel_cache_generator.php HTTP/1.1" 200 229001 "-" "curl/7.40.0" - 0.063
127.0.0.1 - - [20/Oct/2016:11:36:01 +0000]  "GET //fam/shared_generate_banner_campaign_assoc.php HTTP/1.1" 200 302 "-" "curl/7.40.0" - 0.406
127.0.0.1 - - [20/Oct/2016:11:36:02 +0000]  "GET /fam/update_daily_cap_in_memcache_contents.php HTTP/1.1" 200 64 "-" "curl/7.40.0" - 0.888
127.0.0.1 - - [20/Oct/2016:11:36:32 +0000]  "GET /fam/update_daily_cap_in_memcache_contents.php HTTP/1.1" 200 64 "-" "curl/7.40.0" - 0.965
127.0.0.1 - - [20/Oct/2016:11:37:01 +0000]  "GET //fam/audience_pixel_cache_generator.php HTTP/1.1" 200 229001 "-" "curl/7.40.0" - 0.021

I would like to apply the same on this nagios plugin command, but it does not work - 

/usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_nginx -p /mnt/log/nginx/access_`(date +'%Y%m%d')`_`(date +'%H')`.log "^(?!.*HTTP\/1.1\"\s*(201|204)).*$"

Throws error - 

bash: !.*HTTP\/1.1\"\s*: event not found

The following regex works with the nagios plugin command, which finds out lines containing the codes 200 or 201 -

/usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_nginx -p /mnt/log/nginx/access_`(date +'%Y%m%d')`_`(date +'%H')`.log ".*HTTP/1.1\"\s*(200|201)"

Opening bouny

How to match lines not containing the codes 201 and 204 without using lookaheads in POSIX flavor of regex?

Solution

  • The logwarn documentation mentions support for a negative checking expression.

    Please try pre-pending an exclamation mark (!) before the pattern string to exclude rather than include these matches:

    /usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_nginx /mnt/log/nginx/access_(date +'%Y%m%d')_(date +'%H').log '!.*HTTP/1.1\"\s*(205|201)'

    Update - The command above was corrected as per the comments below.