.:: Marcos Dione/StyXman's glob ::. (Posts about regexp)https://www.grulic.org.ar/~mdione/glob/enContents © 2025 <a href="mailto:mdione@grulic.org.ar">Marcos Dione</a> Thu, 29 May 2025 15:41:12 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssIs dinant dead; or: A tip for writing regular expressionshttps://www.grulic.org.ar/~mdione/glob/posts/is-dinant-dead-or-a-tip-for-writing-regular-expressions/Marcos Dione<p><em>NE: Another dictated and quickly revised post. Sorry for the mess.</em></p> <p>Last night I was trying to develop a Prometheeus exporter for Apache logs. There's only one already written but it doesn't provide much information, and I just wanted to try myself (yes, a little NIH).</p> <p>So I decided to start with the usual thing; that is, parsing the log lines. What's the best thing to do this than regular expressions and since I needed to capture a lot of stuff, and then be able to reference them, I thought "Oh yeah, now I remember my project <a href="https://github.com/StyXman/dinant">dinant</a>. What happened with it?"</p> <p>I opened the last version of the source file and I found out that it's incomplete code and it's not in a good shape. So I said "look, it's too late, I'm not going to put it back in shape this because, even if I'm doing this for a hobby, eventually I will need this for work, so I will try to get something quick fast, and then when I have the time I'll see if I can revive dinant". So the answer to the title question is "maybe".</p> <p>One of the ideas of dinant was that you would build your regular expressions piece by piece. Because it provides blocks that you could easily combine, that made building the regular expression easy, but it doesn't mean that you cannot do that already. For instance the first thing I have to parse is an IP address. What's an IP address? It's four octets joined by three dots. So we just define a regular expression that matches the octet and then a regular expression that matches the whole IP. Then for the rest of the fields of the line I kept using the same idea.</p> <p>Another tip is that for defining regular expressions I like to use r-strings, raw strings, so backslashes are escaping regular expression elements like <code>.</code> or <code>*</code> and not escaping string elements like <code>\n</code> or <code>\t</code>, and given that they are prefixed by <code>r</code>, to me it's not only a raw string but it's also a regular expression string :)</p> <p>Finally, building your regular expressions block by block and then combining them in a final regular expression should make your regular expressions easier to test, because then you can you can build test code that test each block individually, and then you test bigger and bigger expressions, exactly like I did for dinant.</p> <p>Here's the regexps quite well tested:</p> <div class="code"><pre class="code literal-block"><span class="kn">import</span><span class="w"> </span><span class="nn">re</span> <span class="n">capture</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">lambda</span><span class="w"> </span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="n">regexp</span><span class="p">:</span><span class="w"> </span><span class="sa">f</span><span class="s2">"(?P&lt;</span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s2">&gt;</span><span class="si">{</span><span class="n">regexp</span><span class="si">}</span><span class="s2">)"</span> <span class="n">octect</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sa">r</span><span class="s1">'([0-9]|[1-9][0-9]|1[0-9]{1,2}|2[0-4][0-9]|25[0-5])'</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'0'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'9'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'10'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'99'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'100'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'255'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'-1'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">octect</span><span class="p">,</span><span class="w"> </span><span class="s1">'256'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="kc">None</span> <span class="n">IPv4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sa">r</span><span class="s1">'\.'</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="n">octect</span><span class="p">]</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="c1"># thanks to r'', the \ is a regexp escape symbol, not a string escape symbol</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">IPv4</span><span class="p">,</span><span class="w"> </span><span class="s1">'0.0.0.0'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">IPv4</span><span class="p">,</span><span class="w"> </span><span class="s1">'255.255.255.255'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">IPv4</span><span class="p">,</span><span class="w"> </span><span class="s1">'255.255.255'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">IPv4</span><span class="p">,</span><span class="w"> </span><span class="s1">'255.255'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="kc">None</span> <span class="k">assert</span><span class="w"> </span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="n">IPv4</span><span class="p">,</span><span class="w"> </span><span class="s1">'255'</span><span class="p">)</span><span class="w"> </span><span class="ow">is</span><span class="w"> </span><span class="kc">None</span> </pre></div> <p>Meanwhile, after reading <a href="https://www.robustperception.io/getting-metrics-from-apache-logs-using-the-grok-exporter/">this</a>, I decided to just use <a href="https://github.com/fstab/grok_exporter/">the grok exporter</a>. More on that soon.</p> <h2>Update</h2> <p>Talking this morning about it with a friend, I realized that the IPv4 regex is more complex than it needs to be: Apache logs will never have a wrong IP, unless they're badly misbehaving, at which point you should have better ways to detect that.</p>apachedinantprometheuspythonregexphttps://www.grulic.org.ar/~mdione/glob/posts/is-dinant-dead-or-a-tip-for-writing-regular-expressions/Fri, 17 Nov 2023 08:17:45 GMT