I need to filter out or exclude successful transactions from a logfile where statusCode = 2001
for example from the following lines that contain "Diameter-Response" I want to exclude statusCode 2001 - the regex should match lines 2 and 4
what regex should I use?
{"remoteHost":"epdg","epoch":1648084954231,"command":"Diameter-Response","Result-Code"{"value":2344}},**"statusCode":"2001"**,"status":"FOO ","timestamp":"2022-03-24 03:22:34.231"}
{"remoteHost":"epdg","epoch":1648084954231,"command":"Diameter-Response","Result-Code"{"value":2345}},**"statusCode":"3001"**,"status":"FOO ","timestamp":"2022-03-24 03:22:34.231"}
{"remoteHost":"epdg","epoch":1648084954231,"command":"Diameter-Response","Result-Code"{"value":2221}},**"statusCode":"2001"**,"status":"FOO ","timestamp":"2022-03-24 03:22:34.231"}
{"remoteHost":"epdg","epoch":1648084954231,"command":"Diameter-Response","Result-Code"{"value":1233}},**"statusCode":"5001"**,"status":"FOO ","timestamp":"2022-03-24 03:22:34.231"}
CodePudding user response:
The question limits the scope to the regular expressions domain, so a valid answer would be a regex like this: ^{.*?"command":"Diameter-Response".*?"statusCode":"2001".*}$ matching lines containing both "command":"Diameter-Response" and the statusCode==2001.
But it expects the line to contain literally "command":"Diameter-Response" and it must come before the statusCode attribute. So it's really unreliable if that string changes a bit.
Plus it will work only as long as you first split those lines and each line contains only a json object {attr:value...}
There are better ways to achieve your goal since that's json encoding and you could evaluate those lines to create and query those objects instead of dealing with text. But that's what you asked for.
The better way implied it was running in a javascript interpreter and you could get that object alive, loop through it and excluding objects having those two properties with those values.
CodePudding user response:
with this you can catch lines that contain status 2001
/(?<=\n|^).*"statusCode":"2001".*(?=\n|$)/gm
https://regex101.com/r/EUY13p/1
then do a negate depending on you system eg
grep -v regex
// edit 1: to include command, assuming it appears before statusCode
(?<=\n|^).*"command":"Diameter-Response".*"statusCode":"2001".*(?=\n|$)
https://regex101.com/r/pHEhkU/1
// edit 2: in case command can be before or after:
(?<=\n|^).*(?:"command":"Diameter-Response".*)?"statusCode":"2001".*(?:"command":"Diameter-Response".*)?(?=\n|$)