New Custom Regex Log Ingestion

By: Rachel Fong | December 19th, 2017

2 Min. Read

Unstructured text logs are so last decade, but sometimes you have to deal with them because they aren’t actually all that prehistoric in human years…or you just need us to ingest formats we don’t actually support yet.

We recently added custom regex support to honeytail, our agent for consuming existing log files, so you can now write your own custom formats for logs you want to analyze in Honeycomb.

Matching log lines will be parsed as events, with named regex capture groups corresponding to columns.

As an example, let’s ingest a Rails log file, one of a class of many objects that I would much rather never look through manually.

Rails log sample

Just construct a regex that pulls out the fields you want, and pass it to honeytail to get your awful looking log dumps parsed and ready to investigate in Honeycomb.

honeytail --writekey=MYWRITEKEY --dataset=MYDATASET `
    --parser=”regex” --regex.timefield="time" ``
    --regex.line-regex=”(?P<time>S+) (?P<source>.*): at=(?P<log_level>.*) method=(?P<http_method>.*) path="(?P<path>.*) ..."`

Rails logs in Honeycomb

Fascinating! Suspicious! Weird, even! Mostly, I’m excited that I can now click to sort all my requests by latency and filter to instantly see time-series graphs, instead of artisanally constructing an elaborate series of bash pipes.

Multiple line formats

We support passing multiple patterns, so you can parse logs with mixed output formats into the same dataset by adding additional —regex.line_regex flags to your honeytail call. (Order matters when we regex match your log lines, so put your most specific regexes first.)

Rails log sample with mixed output formats

honeytail --writekey=MYWRITEKEY --dataset=MYDATASET ``
    --parser=”regex” --regex.timefield="time" `
    --regex.line-regex=”(?P<time>S+) (?P<source>.*): at=(?P<log_level>.*) method=(?P<http_method>.*) path="(?P<path>.*) ..." `
    --regex.line-regex=”(?P<time>S+) (?P<source>.*): (?P<msg>.*)”`

FAQ

Nested capture groups are supported! (?P<outer>[^ ]* (?P<inner1>[^ ]*) (?P<inner2>[^ ]*))(Field names are WYSIWYG, e.g. inner1 instead of outer.inner1.)
Multiline regexes are not supported
Uses Google’s RE2 syntax

Check out the honeytail regex parser docs to get set up and try out some quickstart examples, and please contact us if you have questions. Happy string munging!

Don’t forget to share!

Rachel Fong

Elsie Phillips | May 19, 2025

Introducing Native Mobile Support in Honeycomb for Frontend Observability

You shipped your latest release. You tested it on emulators, QA devices, and the latest OS versions. But now it’s live and running on thousands or millions of real devices, across a jungle of screen sizes, hardware specs, OS versions, and network conditions. A user reports a crash on an old Samsung device over 3G. Someone else complains the app feels “sluggish” after updating. You dig through logs. Rebuild test cases. Ping the backend team. Try to reproduce. Yet, still no answers.

Frontend Observability OpenTelemetry

Bee Klimt | May 15, 2025

Understanding Your App’s Health With Core Mobile Vitals

There are certain important metrics that every mobile app has in common. At Honeycomb, we have surveyed these metrics across iOS and Android, and have defined a set of Core Mobile Vitals we think every app developer should care about. The purpose of these vitals is similar to that of Core Web Vitals for web frontends.

Frontend OpenTelemetry

Fred Hebert | May 12, 2025

Gotta Go Slow

I anticipated this would be a challenging time and that I would be exhausted. So, the plan became: do all the demanding things, take my sabbatical in May, and use April as an ‘in-between’ period with a bit less pressure. I would willingly step off the gas and let other SREs on the team cover pressing matters, as a sort of pre-game for my full month away.

Culture Software Engineering

All-in-one Observability

Why Honeycomb

Looking for something?

Our mission