Regex Parser Transform

The Vector regex_parser transform accepts and outputs log events allowing you to parse a log field's value with a Regular Expression.


# REQUIRED - General
type = "regex_parser" # must be: "regex_parser"
inputs = ["my-source-id"] # example
regex = "^(?P<timestamp>[\\w\\-:\\+]+) (?P<level>\\w+) (?P<message>.*)$" # example
# OPTIONAL - General
drop_field = true # default
field = "message" # default
# OPTIONAL - Types
status = "int" # example
duration = "float" # example
success = "bool" # example
timestamp = "timestamp|%F" # example
timestamp = "timestamp|%a %b %e %T %Y" # example


4 items


If the specified field should be dropped (removed) after parsing.

Default: true
View examples


The log field to parse. See Failed Parsing for more info.

Default: "message"
View examples


The Regular Expression to apply. Do not include the leading or trailing /. See Failed Parsing and Regex Debugger for more info.

No default
View examples


Key/Value pairs representing mapped log field types. See Regex Syntax for more info.



A definition of log field type conversions. They key is the log field name and the value is the type. strptime specifiers are supported for the timestamp type.

No default
Enum, must be one of: "bool" "float" "int" "string" "timestamp"
View examples


Given the following log line:

"message": " - zieme4647 5667 [19/06/2019:17:20:49 -0400] \"GET /embrace/supply-chains/dynamic/vertical\" 201 20574"

And the following configuration:

type = "regex_parser"
field = "message"
regex = '^(?P<host>[\w\.]+) - (?P<user>[\w]+) (?P<bytes_in>[\d]+) \[(?P<timestamp>.*)\] "(?P<method>[\w]+) (?P<path>.*)" (?P<status>[\d]+) (?P<bytes_out>[\d]+)$'
bytes_in = "int"
timestamp = "timestamp|%d/%m/%Y:%H:%M:%S %z"
status = "int"
bytes_out = "int"

A log event will be output with the following structure:

// ... existing fields
"bytes_in": 5667,
"host": "",
"user_id": "zieme4647",
"timestamp": <19/06/2019:17:20:49 -0400>,
"message": "GET /embrace/supply-chains/dynamic/vertical",
"status": 201,
"bytes_out": 20574

Things to note about the output:

  1. The message field was overwritten.
  2. The bytes_in, timestamp, status, and bytes_out fields were coerced.

How It Works

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

Failed Parsing

If the field value fails to parse against the provided regex then an error will be logged and the event will be kept or discarded depending on the drop_failed value.

A failure includes any event that does not successfully parse against the provided regex. This includes bad values as well as events missing the specified field.


The regex_parser source has been involved in the following performance tests:

Learn more in the Performance sections.

Regex Debugger

To test the validity of theregex option, we recommend the Rust Regex Tester. Note, you must use named captures in your regex to map the results to fields.

Regex Syntax

Vector follows the documented Rust Regex syntax since Vector is written in Rust. This syntax follows a Perl-style regular expression syntax, but lacks a few features like look around and backreferences.

Named Captures

You can name Regex captures with the <name> syntax. For example:

^(?P<timestamp>\w*) (?P<level>\w*) (?P<message>.*)$

Will capture timestamp, level, and message. All values are extracted as string values and must be coerced with the types table.

More info can be found in the Regex grouping and flags documentation.


Regex flags can be toggled with the (?flags) syntax. The available flags are:

icase-insensitive: letters match both upper and lower case
mmulti-line mode: ^ and $ match begin/end of line
sallow . to match \n
Uswap the meaning of x* and x*?
uUnicode support (enabled by default)
xignore whitespace and allow line comments (starting with #)

For example, to enable the case-insensitive flag you can write:

(?i)Hello world

More info can be found in the Regex grouping and flags documentation.