3

I am trying to capture the Java exception anem from a log file, but I would like to exclude the "Caused by:" string using Oniguruma Regular Expressions Version 6.0.0:

^.+Exception

returns:

"Caused by: java.nio.file.NoSuchFileException"

How can I write a regular expression which captures the exception name but ignores the "Caused by: " string in front of it? This will be used in Grok Logstash.

ouflak
  • 2,458
  • 10
  • 44
  • 49
Arturski
  • 1,142
  • 3
  • 14
  • 26
  • And what about `^(?!.*Caused by:).+Exception`? It should work. – Wiktor Stribiżew Nov 21 '16 at 13:28
  • not working, tested on http://rubular.com/r/JFI3pukx4y – Arturski Nov 21 '16 at 13:42
  • It is working, as it does not match the line that contains `Caused by:`, as you wrote *I am trying to capture the Java exception from a log file without the "Caused by:" string*. If it is not what you really are doing, please update the question. – Wiktor Stribiżew Nov 21 '16 at 13:43
  • Yes but that means that I want to capture the java exception name but not the "Caused By: " string. i need the regex to only return "java.nio.file.NoSuchFileException" – Arturski Nov 21 '16 at 13:45
  • That should be part of the question, not a comment. Use `(?<=^Caused by: ).+Exception`. Or, if you can access the capture group, use `^Caused by:\s*(.+Exception)`. Where are you using the regex? Grok/Logstash? Java? – Wiktor Stribiżew Nov 21 '16 at 13:46
  • Grok+Logstash, it keeps capturing the "Caused by" for some reason – Arturski Nov 21 '16 at 13:50
  • Ok, I added the tags and an answer. – Wiktor Stribiżew Nov 21 '16 at 14:00

1 Answers1

1

You may use capturing with the following pattern:

^Caused\s*by:\s*(?<exception>[\w.]+)

The (?<exception>[\w.]+) named capturing group will match and capture into Group "exception" (creating the variable with the same name) 1+ word (letters, digits or underscores) or . chars.

Answering your question, to check and require something but excluding it from the match, you may use lookarounds:

(?<=^Caused by: ).*?Exception

See this Rubular demo. And below is a test at https://grokdebug.herokuapp.com/:

enter image description here

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
  • Hi Wiktor thanks for the solution! I am having 2 values generated in the grok debugger, with and without the caused by string for some reason. { "exception": [ [ "Caused by: java.nio.file.NoSuchFileException" ], [ "java.nio.file.NoSuchFileException" ] ] } – Arturski Nov 21 '16 at 14:35
  • And if you use `(?(?<=^Caused by: ).*?Exception)`? – Wiktor Stribiżew Nov 21 '16 at 14:39
  • still returns 2 values but both are correct. { "exception": [ [ "java.nio.file.NoSuchFileException" ], [ "java.nio.file.NoSuchFileException" ] ] } – Arturski Nov 21 '16 at 14:57
  • Please check your other settings. BTW, you are only using 1 set of parentheses around the pattern, right? – Wiktor Stribiżew Nov 21 '16 at 15:02