Regex processor

The regex processor applies a regular expression with named capture groups to a field in the event and stores the extracted values. Use it for log formats with a known structure that can be parsed with a regex.

Configuration

{
  "sources": {
    "parsed": {
      "type": "regex",
      "source": {
        "type": "file",
        "path": "/var/log/app/",
        "extension": ".log"
      },
      "rules": [
        {
          "match": [
            { "path": "rawLog", "value": "*" }
          ],
          "field": "rawLog",
          "pattern": "(?P<timestamp>\\S+) (?P<level>\\S+) (?P<message>.*)",
          "target": "rawLog"
        }
      ]
    }
  }
}

Options

Option	Type	Description
`source`	object	Required. Nested source configuration
`rules`	array	Required. List of parsing rules

Rule structure

Field	Type	Description
`match[].path`	string	JSONPath to the field to match
`match[].value`	string	Value to match
`field`	string	Field to apply the regex against
`pattern`	string	Regular expression with named capture groups (`(?P<name>...)`)
`target`	string	Field to store the extracted values

Example: Parse custom application logs

Given log lines like:

2025-01-15T10:30:00Z INFO [webapp] User admin logged in from 192.168.1.100

Configure:

{
  "sources": {
    "app": {
      "type": "regex",
      "source": {
        "type": "file",
        "path": "/var/log/app/",
        "extension": ".log"
      },
      "rules": [
        {
          "match": [
            { "path": "rawLog", "value": "*" }
          ],
          "field": "rawLog",
          "pattern": "(?P<timestamp>\\S+) (?P<level>\\S+) \\[(?P<service>\\S+)\\] (?P<message>.*)",
          "target": "rawLog"
        }
      ]
    }
  }
}

Regex processor

Configuration

Options

Rule structure

Example: Parse custom application logs

On this page