Logs are semi-structured by default, which makes them perfect candidates for carefully scoped regex parsing. The key is to avoid one giant catch-all expression and instead compose small, testable patterns.

Recipe 1: ISO timestamp at line start

/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z/

Recipe 2: HTTP status code extraction

/\bstatus=(2\d\d|3\d\d|4\d\d|5\d\d)\b/

Recipe 3: Trace or request ID

/\b(?:trace_id|request_id)=([a-f0-9-]{16,36})\b/i

Build each extractor independently, then compose at the application layer. This keeps performance predictable and makes failures easier to debug.