regex for access log in hive serde

Question

I want to extract out (ip, requestUrl, timeStamp) from the access logs to load to hive database. One line from access log is as follows.

66.249.68.6 - -          


        

Answer 1

Use double '\' and '.*' in the end (it's important!):

CREATE EXTERNAL TABLE access_log (
        `ip`                STRING,
        `time_local`        STRING,
        `method`            STRING,
        `uri`               STRING,
        `protocol`          STRING,
        `status`            STRING,
        `bytes_sent`        STRING,
        `referer`           STRING,
        `useragent`         STRING
        )
    ROW FORMAT SERDE 'org.apache.hadoop.hive.contrib.serde2.RegexSerDe'
    WITH SERDEPROPERTIES (
    'input.regex'='^(\\S+) \\S+ \\S+ \\[([^\\[]+)\\] "(\\w+) (\\S+) (\\S+)" (\\d+) (\\d+) "([^"]+)" "([^"]+)".*'
)
STORED AS TEXTFILE
LOCATION '/tmp/access_logs/';

P.S. Hive 0.7.1

Answer 2

I use rubular to test my regex. You can also use this expression

([^ ]*) ([^ ]*) ([^ ]*) (?:-|\[([^\]]*)\]) ([^ \"]*|\"[^\"]*\") (-|[0-9]*)

You get the following output

1.  66.249.68.6
2.  -
3.  -
4.  14/Jan/2012:06:25:03 -0800
5.  "GET /example.com HTTP/1.1"
6.  200

Answer 3

Not fool-proof, but given that it is a log file in a known format then the following should work (untested in Hive, but works with grep -E and with http://www.regexplanet.com/simple/index.html if you replace [^[] with [^\[] and [^]] with [^\]]). Assumes you only want the three values you specifically mentioned.

"input.regex" = "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)[^[]+\[([^]]+)\][^/]+([^ ]+).+"
"output.format.string" = "%1$s %2$s %3$s"