Log Parser Lizard (MS Log Parser) Ignore Regex

Question

first question so be gentle.

I am a regex padawan. I've only dabbled lightly. I am experimenting with Log Parser Lizard by LizardLabs. I am writing an XML that the application uses MS Log Parser to apply regex to a log file to return the results in a pretty GUI. The XML contains tags which you define as fields, so forgive the messy code, but it's how it wants it...

<regex>\s{1,}(?&lt;PID&gt;(.*))\((?&lt;TID&gt;(.*))\)\s{1,}(?&lt;DATE&gt;(\d{2}\/\d{2}\/\d{4}))\s{1,}(?&lt;TIME&gt;(\d{2}:\d{2}:\d{2}))\s{1,}(?&lt;CLASS&gt;([A-Z][^\s]{1,}))\s{1,}(?&lt;TYPE&gt;(.{1}))\s{1,}(?&lt;MESSAGE&gt;(.{1,})).*</regex>
  <fields>
  <field name="PID" type="String" />
  <field name="TID" type="String" /> 
  <field name="DATE" type="String" />
  <field name="TIME" type="String" />
  <field name="CLASS" type="String" />
  <field name="TYPE" type="String" />
  <field name="MESSAGE" type="String" />
</fields>

Sample lines:

3840( 5516) 03/15/2015 00:10:04 JS I Starting Incident Deadline Update Schedule

3840( 5516) 03/15/2015 00:10:04 JS I No records to be updated

3648( 5444) 03/15/2015 01:00:07 JGroups version: 2.6.15.GA

The regex correctly grabs the first two lines and parses it nicely, but the third line fails (obviously, because it's not the same format).

The question: How do I use (?!JGroups) or [^JGroups] to make the regex properly ignore the JGroups line?

I have tried the following;

(?<CLASS>([^JGroups][A-Z][^\s]{1,}))
(?<CLASS>((?!JGroups([A-Z][^\s]{1,})))

Neither seem to make it ignore that line (and continue matching).

What am I doing wrong? To complicate it further, using plain regex (without running it through this application) seems to work properly with my second example. Is it a fault of the application not knowing how to do these "ignore" matches?

Answer 1

There are a few odd things in your regex.

\\s{1,} It seems you want to use space as a delimiter but you are actually saying 1 or 0 spaces

(?<CLASS>([AZ][^\\s]{1,})) The class is a single letter (eg 'J'), followed by 1 or 0 non-space characters?

I can't help you much more without the format of the log itself but it looks like it should be should like this: \\s*(?<PID>([^\\s]*))\\((?<TID>([^\\s]*))\\)\\s(?<DATE>(\\d{2}\\/\\d{2}\\/\\d{4}))\\s(?<TIME>(\\d{2}:\\d{2}:\\d{2}))\\s(?<CLASS>([^\\s]*))\\s(?<TYPE>([^\\s]*))\\s(?<MESSAGE>(.*))