Groups & Alternation
Groups let you treat multiple elements as one unit and apply quantifiers or alternation to the whole expression. This page also introduces logging24's set-style operators such as intersection and exclusion.
Grouping
Parentheses create groups that can be quantified, referenced, or captured:
(ab)
|
Matches "ab" as a group |
(ab){3}
|
Matches "ababab" |
(error|warning)
|
Matches "error" or "warning" |
Log Analysis Examples
Repeated error patterns
.*(timeout\s*){2,}.*Matches lines with 2 or more "timeout" words (cascading timeouts)
Group multiple alternatives
.*(ERROR|WARN|FATAL):.*Matches any of the three severity levels
Alternation (OR)
The pipe symbol
|
provides alternation. In practice, you will often use it inside a pattern already wrapped for full-line matching:
foo|bar
|
Matches "foo" or "bar" |
(.*foo.*)|(.*bar.*)
|
Matches line containing "foo" OR "bar" |
.*(GET|POST|PUT|DELETE).*
|
Matches HTTP methods |
Important: Full-Line Context for Alternation
Remember that logging24 matches the whole log event. For alternation, each branch still needs to participate in a full-line match:
# Correct: Each alternative matches full line
(.*foo.*)|(.*bar.*)
# Also correct: Alternation within line context
.*(foo|bar).*
# Incorrect (matches only "foo" or "bar", not full line):
foo|barLog Analysis Examples
Match multiple error types
.*(connection refused|timeout|unreachable).*Matches network-related errors
Match different log formats
(^\d{4}-\d{2}-\d{2}.*)|(^\[.*?\].*)Matches ISO dates OR bracketed timestamps
logging24 Set Operations
logging24 also supports set-style combinations for complex filtering:
(.*foo.*)|(.*bar.*)
|
Union (OR): Lines with "foo" OR "bar" |
(.*foo.*)&(.*bar.*)
|
Intersection (AND): Lines with both "foo" AND "bar" |
(.*foo.*)~(.*bar.*)
|
Exclusion (NOT): Lines with "foo" but not "bar" |
Set Operation Examples
Find errors in production (AND)
(.*prod.*)&(.*ERROR.*)Matches lines containing "prod" AND "ERROR"
Exclude health checks from errors (NOT)
(.*ERROR.*)~(.*health.*)Matches ERROR lines that DON'T contain "health"
Complex filtering: Critical errors in prod, excluding tests
((.*prod.*)&(.*CRITICAL.*))~(.*test.*)Production critical errors, excluding test environments
Nested Groups
Groups can be nested for complex patterns:
# Match HTTP status codes with grouping
.*HTTP/\d\.\d\" (([24]0[0-9])|([35][0-9][0-9])).*
# Match timestamp components
.*(\d{4})-(\d{2})-(\d{2}).*
For numeric and textual extraction syntax such as
(?int)
,
(?num(N))
, and
(?txt(...))
, continue to
Capturing & Extraction
or return to
Querying
for the canonical analysis model.
Next Steps
Learn to extract and analyze data from your logs using Capturing & Extraction .