4

I can't figure out how to search using regexp in loggly.
For example there is log what I want to find using the expression /24nonstop.+7554/.

{
  "level_name": "WARNING",
  "extra": {
    "uid": "b1b3a7a",
    "http": {
      "SERVER": {
        "REQUEST_URI": "/24nonstop/result?ACT=1&SERVICE_ID=7554&PAY_ACCOUNT=maxudov%40ukr.net%D0%9C%D0%90%D0%A0%D0%9A%D0%A3%D0%A1.777&PAY_ID=BA56136B-93C8-4715-AA5F-51699305C6F2&TRADE_POINT=11057&SIGN=A77D6B3B4CF84CA1B97C8FA5D9E7688D", 
...

But in this case loggly finds nothing.
If I use /24nonstop/ then loggly finds logs.
Link for my regexp
Am I searching properly?

skamazin
  • 757
  • 5
  • 12
Dmitry Davydov
  • 987
  • 13
  • 21
  • regex seems to be ok, however looks like some other built-in limitations with loggly. did you try wrapping your rexeg in `"`? https://www.loggly.com/docs/search-query-language/#regex may help if not yet referred. – pushpraj Aug 01 '14 at 06:50
  • 1
    @pushpraj thanks for the link. There I've found that: _Regular expressions only work on single tokens when run on a full text search. You cannot do a regex on a single term that has been split into several tokens due to special characters or other rules. For example, this won’t work because it’s been tokenized, even if we escape the special characters: /HTTP/1.0/_ – Dmitry Davydov Aug 01 '14 at 07:01
  • Great find! As mentioned in the link you may try giving a shot with wrapping your regex in quotations eg `"regex"`, may it solve your issue. – pushpraj Aug 01 '14 at 07:14
  • @pushpraj Unfortunately it does not help. The regex like "24nonstop.+7554" doesn't work. Of course it is strange and sad. Thank you, I think you should answer mentioning about limitations. – Dmitry Davydov Aug 01 '14 at 07:24
  • @DmitryDavydov you could use lookbehind. see http://rubular.com/r/xJbXvj9mkZ – Avinash Raj Aug 01 '14 at 07:27
  • @AvinashRaj, unfortunately this doesn't work too. [example](http://i60.tinypic.com/2qwodcg.png). – Dmitry Davydov Aug 01 '14 at 10:25

1 Answers1

1

According to Regex. Loggly documentation
There are some limitations for regex search:

Regular expressions only work on single tokens when run on a full text search. You cannot do a regex >on a single term that has been split into several tokens due to special characters or other rules. For example, this won’t work because it’s been tokenized, even if we escape the special characters:
/HTTP/1.0/

Unfortunately there is no way to use / in search pattern, even if it is escaped with \.

Dmitry Davydov
  • 987
  • 13
  • 21