[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [multitail] regex help



Laurent TAUPIAC wrote:

> i would like to filter some entries from apache log.
> 
> i want to display
> - all lines that match "client 164.7.108.226" like
> 
>     * /[Thu Nov 09 08:53:11 2006] [error] [client 164.7.108.226] PHP
>       Notice:  Undefined variable: toto in
>       /sg2/instdev2/htdocs/V4/_FO_/lta.old/bench/test.php on line 7/
> 
> 
> - all lines that don't match "client" like
> 
>     * /[Thu Nov 09 08:53:11 2006] [notice] child pid 13313 exit signal
>       Segmentation fault (11)/
> 
> 
> I try several methods but without any success
> 
> such one regexp that should do both thing (match IP or line with this
> format "[date][level] message")
> multitail -Em "(108.243|108.226)|^(\[.+?\]\s){2}(?!\[)" errors.log

Parameter m is incorrectly used.

What is your objective?  First you say you want to match lines with "client"
(and all that don't match "client", nice contradiction, in other words: match
all lines) then your regex is trying to match a couple of IP addresses (you just
forgot to escape the dot).

> this regexp does not even compile on multitail because i guess of
> negative look ahead assertion (it compile if i put \ before ? but match
> nothing anyway)
> a another way without assertion
> multitail -Em "(108.243|108.226)|^(\[.+?\]\s){2}[^\[]" errors.log
> match nothing
> i saw in documentation we can specify multiple regexp but it will do AND
> between them, and i need a OR to union
> 
> If i test those regexp in tools like regexBuddy or regexCoach, it works
> and match both kind of lines.
> 
> if you have any advice.

Why not using the multitail.conf file as an example?

If I wanted to match all lines with an IP address, using the sample (for Apache)
on the conf file I'll use:

multitail -E "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}"

You can test it quickly by using "-j" (as in `echo "[Thu Nov 09 08:53:11 2006]
[error] [client 164.7.108.226] PHP Notice:  Undefined variable..." | multitail
-j -E <etc>`) or on the log file (with multitail -n 1000 -E ... /<path>/<log>).

I tried also with some perl-regex notation:

echo "[Thu Nov 09 08:53:11 2006] [error] [client 164.7.108.226] PHP Notice:
Undefined variable: toto in /sg2/instdev2/htdocs/V4/_FO_/lta.old/bench/test.php
on line 7"  | multitail -j -E "\d\.\d\.\d\.\d"

and it works (matches the line with an IP address).
-- 
René Berber