I want to parse this message :
[2021-08-30T14:01:01.443908+00:00] technical.INFO: Webhook "239dfb55-c8f3-4ae2-8974-22dadb7417ba" (wallet.create) has been handle.
To have :
UUID (here : 239dfb55-c8f3-4ae2-8974-22dadb7417ba)
The words in brackets (here: wallet.create)
I can get the UUID but not the terms in brackets.
I think my regex is correct but, it doesn't work on Log Insight :(
My query :
fields @message
| filter @message like /technical.INFO: Webhook "/
| parse @message /(?<webhookId>\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b)/
| parse @message /(?<@endpt_get>\(([^)]+)\)/
| sort @timestamp desc
| limit 5
My regex for word in brackets :
https://regex101.com/r/ewSm6O/1
If i comment this line of my query :
parse @message /(?<@endpt_get>\(([^)]+)\)/
I have the good result
The line of code I commented above blocks the result, I return nothing.
Could you please help me?
if your log messages are all going to have this same format, you can use glob instead of regex (and for something complex like this, that may be easier)
fields @message, @timestamp
| parse @message "technical.INFO: Webhook \"*\" (*) has been handle" as uuid, term_to_catch
| sort @timestamp by desc
| display @timestamp, uuid, term_to_catch
if some of the sections of the message (like technical.INFO ) would change, you can always * them and put a dummy variable to catch but then do nothing with it
| parse @message "*: Webhook \"*\" (*) has been handle" as type, uuid, term_to_catch
| display @timestamp, uuid, term_to_catch
alternatively - if you insist on your regex - then the reason is most likely because you are not storing the parsed results as their own variable, and so they are overwriting each other
| parse @message /your*regex/ as uuid
| parse @message /your*second.regex/ as term_to_catch
may get what you need as well.