watch-tool/configs/example-patterns.yaml

patterns:
  common:
    extractors:
      - name: "syslog_header"
        regex: '^(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (?P<hostname>[^\s]+) (?P<process_info>[^:]+):\s*(?P<message_rest>.*)$'
        fields:
          syslog_timestamp: "time:Jan 02 15:04:05"
          hostname: "string"
          process_info: "string"
          message_rest: "string"
      
      - name: "iso8601_timestamp"
        regex: '(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z?)'
        fields:
          timestamp: "time:2006-01-02T15:04:05.000000Z"

  nginx:
    extractors:
      - name: "access_log"
        regex: '^(?P<client_ip>\S+)\s+\S+\s+(?P<remote_user>\S+)\s+\[(?P<timestamp_nginx>[^\]]+)\]\s+"(?P<request>[^"]+)"\s+(?P<status_code>\d+)\s+(?P<bytes_sent>\d+|-)'
        fields:
          client_ip: "string"
          remote_user: "string"
          timestamp_nginx: "string"
          request: "string"
          status_code: "int"
          bytes_sent: "int"

  my-app:
    extractors:
      - name: "app_log"
        regex: '^\[(?P<level>\w+)\] id=(?P<request_id>\d+) duration=(?P<duration_ms>\d+)ms'
        fields:
          level: "string"
          request_id: "int"
          duration_ms: "int"