Parse message in Log Insight

Question

I want to parse this message :

[2021-08-30T14:01:01.443908+00:00] technical.INFO: Webhook "239dfb55-c8f3-4ae2-8974-22dadb7417ba" (wallet.create) has been handle.

To have :

UUID (here : 239dfb55-c8f3-4ae2-8974-22dadb7417ba)

The words in brackets (here: wallet.create)

I can get the UUID but not the terms in brackets.

I think my regex is correct but, it doesn't work on Log Insight :(

My query :

fields @message
| filter @message like /technical.INFO: Webhook "/
| parse @message /(?<webhookId>\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b)/
| parse @message /(?<@endpt_get>\(([^)]+)\)/
| sort @timestamp desc
| limit 5

My regex for word in brackets :

https://regex101.com/r/ewSm6O/1

If i comment this line of my query :

parse @message /(?<@endpt_get>\(([^)]+)\)/

enter image description here

I have the good result

The line of code I commented above blocks the result, I return nothing.

Could you please help me?

Answer 1

if your log messages are all going to have this same format, you can use glob instead of regex (and for something complex like this, that may be easier)

fields @message, @timestamp
| parse @message "technical.INFO: Webhook \"*\" (*) has been handle" as uuid, term_to_catch
| sort @timestamp by desc
| display @timestamp, uuid, term_to_catch

if some of the sections of the message (like technical.INFO ) would change, you can always * them and put a dummy variable to catch but then do nothing with it

| parse @message "*: Webhook \"*\" (*) has been handle" as type, uuid, term_to_catch
| display @timestamp, uuid, term_to_catch

alternatively - if you insist on your regex - then the reason is most likely because you are not storing the parsed results as their own variable, and so they are overwriting each other

| parse @message /your*regex/ as uuid
| parse @message /your*second.regex/ as term_to_catch

may get what you need as well.