Character Classes
Character classes match one character from a set. They are useful when logs contain structured but variable text such as timestamps, hex values, IDs, or status codes.
Basic Character Classes
Use square brackets to define a set of acceptable characters:
[abc]
|
Matches "a", "b", or "c" |
[012]
|
Matches "0", "1", or "2" |
[aeiou]
|
Matches any lowercase vowel |
Log Analysis Examples
Match HTTP status code first digit
.*HTTP/[0-9]\.[0-9]\" [45][0-9][0-9].*Matches 4xx and 5xx HTTP errors
Match log levels
.*\[(DEBUG|INFO|WARN|ERROR)\].*Matches common log level indicators
Character Ranges
Use a hyphen to specify character ranges (based on ASCII encoding):
[a-z]
|
Any lowercase letter |
[A-Z]
|
Any uppercase letter |
[0-9]
|
Any digit |
[a-f0-9]
|
Hexadecimal characters |
[A-Za-z]
|
Any letter (case insensitive) |
Log Analysis Examples
Match UUIDs in logs
.*[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}.*Matches UUIDs like "550e8400-e29b-41d4-a716-446655440000"
Match process IDs (PIDs)
.*\[pid [0-9]+\].*Matches process ID indicators
Negated Character Classes
Use
^
as the first character inside brackets to match any character
except
those listed:
[^abc]
|
Any character except "a", "b", or "c" |
[^0-9]
|
Any non-digit character |
[^ \t]
|
Any character except space or tab |
Log Analysis Examples
Match lines without digits (unusual for most logs)
[^0-9]*Matches only lines containing no numeric characters
Extract field value up to delimiter
.*message:([^,]*),.*Captures everything after "message:" until the next comma
Predefined Character Classes (Shorthand)
logging24 supports the usual shorthand forms for common character sets:
\d
|
Digits:
[0-9]
|
\D
|
Non-digits:
[^0-9]
|
\w
|
Word characters:
[0-9a-zA-Z_]
|
\W
|
Non-word characters:
[^0-9a-zA-Z_]
|
\s
|
Whitespace:
[\h\v]
(horizontal + vertical space)
|
\S
|
Non-whitespace:
[^\s]
|
\h
|
Horizontal space: tab or space |
\H
|
Non-horizontal space |
\v
|
Vertical space: newline, CR, vertical tab, form feed |
\V
|
Non-vertical space |
\N
|
Non-newline:
[^\n]
|
Log Analysis Examples
Match container IDs (hex strings)
.*container_[0-9a-f]{12}.*Matches Docker-style container IDs
Match timestamps with milliseconds
.*\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}.*Matches: "2024-01-15 14:23:05.123"
Find memory usage in logs
.*memory:\s*\d+\s*MB.*Matches "memory: 512 MB", "memory: 1024 MB", etc.
Combining Classes
Character classes can be combined for complex patterns:
# Match valid Kubernetes pod names
.*[a-z0-9]([-a-z0-9]*[a-z0-9])?.*
# Match MAC addresses
.*([0-9a-f]{2}:){5}[0-9a-f]{2}.*
# Match email in logs (basic)
.*\w+@\w+\.\w+.*Next Steps
Character classes match anywhere by default. Learn to control where matches occur with Anchors & Boundaries .