EXTRACT

Creating and using EXTRACT Rules in Apica Ascent

Creating an EXTRACT Rule in Apica Ascent

To configure field extraction from log messages, follow the steps below to create an EXTRACT rule within a pipeline.

EXTRACT rule can help you convert unstructured logs into structured logs by using regex with re2 syntax.

1. Navigate to the Configure Pipeline

  • Go to the pipeline where you want to apply the rule.

  • Click on Configure Pipeline from the pipeline’s action menu.

Pipeline List view

2. Add a New EXTRACT Rule

  • Hover over the + Add Rule button.

  • Select EXTRACT from the rule type dropdown.

  • A modal will open with a form organized into tabs.

Create Rule

From here, you can define the fields that you want to extract and configure the rule to match your specific use case.

When you select the EXTRACT rule, a new form will appear on the left side of the modal. The form is organized into tabs based on logical groupings.

3. Fill in Rule Details

In the Details tab:

  • Specify the rule name, description, and other required fields.

  • Click + Add More Parameters to define matching conditions.

Example:

Message =~ my-app

This ensures the rule is applied only to logs containing specific patterns.

4. Define the Extraction Pattern

  • Enter a regular expression in RE2 syntax in the Pattern field that the rule will use to match and extract the desired fields from your log data. After filling in all required details, click Save to create the EXTRACT rule.

  • This expression should match the log structure and include named capture groups to extract values. We recommend testing your regex in regex101.com. Additionaly you can validate the pattern by selecting the Validate button.

Apica Ascent uses re2 Regular expressions for creating pattern expression, A sample expression for extracting ingress logs are mentioned below.

Example RE2 Pattern (Ingress Logs):

^(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)\s+(?P<level>[A-Z]+)\s+\[(?P<app>[^\]]+)\]\s+\[pod=(?P<pod>[^\],]+),\s*namespace=(?P<namespace>[^\],]+),\s*environment=(?P<environment>[^\]]+)\]\s+(?P<message>.+)$

This pattern extracts the following fields:

  • timestamp

  • level

  • app

  • pod

  • namespace

  • environment

  • message

EXTRACT RULE PATTERN

5. Validate the Pattern

  • In the modal, navigate to the right panel.

  • Click Use Sample Logs → Custom Logs.

  • Paste the following sample log data into the editor window and click Preview

Sample Raw logs:

[
    {
        "message": "2025-05-13T12:29:00.123456789Z INFO [my-app] [pod=my-app-abcd-12345, namespace=default, environment=production] Request received for delete rule"
    },
    {
        "message": "2025-05-13T14:29:00.123456789Z INFO [my-app] [pod=my-app-abcd-12345, namespace=default, environment=development] Request received for get rule"
    }
]
Preview Editor
  • Click Preview to confirm that fields are correctly extracted.

Matching Expression

Verify the extracted fields from the raw message.

Logs Details

Change the expression not to match the logs, save pipeline and click preview

Message !~ my-app
Non-Matching Expression

Select any log from the logs and observe the extracted fields. No fields were extracted due to a non-matching expression.

No Fields Extracted

6. Use JavaScript for Advanced Transformations

EXTRACT rules support inline JavaScript. Use the Event object to manipulate fields or define custom fields. Read Code Rule for more details. For example:

if (Event.AppName == "appERP") {
  Event.copyOfAppName = "appERPData";
}
Code

Save pipeline and click preview to verify the new field added

New Field

8. Save and Apply the Rule

  • Once all fields are configured and validated, click Save.

  • The rule will be applied to incoming log lines that match the defined criteria.

  • Extracted fields will be available for filtering, visualization, and alerting.

9. Use Pre-Built Rules (Optional)

Apica Ascent also provides pre-configured EXTRACT rules for commonly used log formats such as:

  • IIS Logs

  • Kubernetes Ingress Logs

  • AWS VPC Flow Logs

These can help you get started quickly without writing custom patterns.

Last updated

Was this helpful?