Home / Documentation / Regular Expression Primer / Real-World Examples

Real-World Examples

This chapter collects ready-to-adapt patterns for common logging24 query tasks. Use them as starting points, then tune prefixes, time ranges, and captures for your own data.

Web Server Logs

Apache/Nginx Combined Log Format

Find 5xx server errors 

.*\" [5]\d{2} .*

Matches HTTP 500, 502, 503, 504 errors

Slow requests (>1 second) 

.*\d{4,} .*\"http.*

Matches requests taking 1000ms or more (assuming microsecond logging)

Specific IP range (192.168.x.x) 

.* 192\.168\.\d{1,3}\.\d{1,3} .*

Finds requests from internal network

404 errors by path (grouped) 

.*\"GET (?(?txt(/\S+))) HTTP.*\" 404.*

Groups 404 errors by requested path

Application Logs

Java/Log4j Style

Exception stack traces 

.*Exception.*|.*at [a-zA-Z_.]+\(.*

Matches exception lines and stack frames

GC pauses over 100ms 

.*GC.* (?[1-9]\d{2,})\s*ms.*

Captures GC pause durations >100ms

Database query times 

.*Query took (?(?num(2)))s.*

Plots query execution times

Python/JSON Logs

JSON field extraction 

.*\"level\":\s*\"(?(?txt(\w+)))\".*

Groups by log level in JSON

Find nested error in JSON 

.*"error".*"traceback".*

Matches JSON lines containing both error and traceback

System Logs

Linux Journal/systemd

Kernel errors 

.*kernel.*(ERROR|CRITICAL|ALERT|EMERG).*

Finds high-severity kernel messages

Out of memory killer 

.*Out of memory.*Kill.*

Matches OOM killer invocations

Service restart frequency by service 

.*Started (?(?txt([^.]+)))\.service.*

Groups service start events by service name

Container/Docker

Container deaths 

.*container [0-9a-f]{12}.*died.*|.*oom_kill.*

Finds container failures and OOM kills

Image pull errors 

.*(Failed to pull image|ImagePullBackOff|ErrImagePull).*

Common Kubernetes image pull failures

Performance Analysis

Latency distribution (histogram) 

.*latency[=:]\s*(?(?num(3))).*

Generic latency extraction for any unit

Memory growth over time 

.*heap\s*usage[:=]\s*(?(?int))\s*(?i)(mb|bytes).*

Captures memory usage values

Error rate by service 

(.*service=(?(?txt(\w+))).*&ERROR.*)

Groups errors by service identifier

Security Monitoring

Authentication failures 

.*(auth.*fail|login.*fail|invalid.*password|unauthorized).*

Case-insensitive auth failure detection

Suspicious user agents 

.*(sqlmap|nikto|nmap|masscan|zgrab).*

Known scanner signatures

Privilege escalation attempts 

.*(sudo.*fail|su.*auth|privilege.*escalation).*

Security-relevant events

Complex Multi-Condition Queries

Production errors excluding health checks 

((.*prod.*)&(.*ERROR.*))~(.*health.*|.*ping.*)

Production errors only, excluding health check noise

Slow queries in specific service 

(.*\[database\].*)&(.*took [2-9]\d{3,}ms.*)

Database service queries taking 2000ms+

Memory issues on specific hosts 

(.*host=web-[0-9]+.*)&(.*(oom|out of memory|memory.*exhausted).*))

Memory problems on web servers only

Quick Reference Card

.*pattern.* Find pattern anywhere in line
(A)|(B) Match A OR B (lines containing either)
(A)&(B) Match A AND B (lines containing both)
(A)~(B) Match A but NOT B
(?(?int)) Capture integer for Y-axis
(?(?num(N))) Capture float with N decimals for X-axis
(?(?txt(...))) Capture text for grouping (max 31 bytes)

Start Analyzing

Apply these patterns through the CLI or API, then adapt them to your own prefixes, time ranges, and analysis needs.

Querying Guide