Regular Expressions

**stek** · 26 November 2016, 17:52

Originally posted by Netraider View Post

I'm hoping somebody on the panel can help me. I am trying to extract some information from a log file See below for example

When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" I get

How do I just get the country from the Log?

Scanning that ip....

**eek** · 26 November 2016, 18:11

"^.*srccountry=\"(.+)\"$" should do it from memory...

**Netraider** · 27 November 2016, 11:30

Originally posted by eek View Post

"^.*srccountry=\"(.+)\"$" should do it from memory...

Unfortunately, the form that I enter the expression into says - Regular Expression did not match"

**vetran** · 27 November 2016, 14:37

RegExr: Learn, Build, & Test RegEx

**eek** · 27 November 2016, 14:54

Originally posted by Netraider View Post

Unfortunately, the form that I enter the expression into says - Regular Expression did not match"

Originally posted by eek View Post

"^.*srccountry=\"(.+)\"" should do it from memory...

Yep because it's got a $ you don't need try the above

**Netraider** · 27 November 2016, 18:35

Originally posted by vetran View Post

RegExr: Learn, Build, & Test RegEx

Cheers Veteran, I'll work through and see how I go.

**mudskipper** · 27 November 2016, 19:11

Originally posted by Netraider View Post

Cheers Veteran, I'll work through and see how I go.

**vetran** · 28 November 2016, 23:41

Originally posted by mudskipper View Post

Scary thing is Regex is basically a superpower!

Many a time someone has said there is no way we can go through all that there are megabytes, Gigabytes , terabytes (depending on Decades) of log files . and a day later we have 200 lines to loOk at. I still struggle with the syntax but between Grep/awk & regex it has saved lots of situations.

**Contreras** · 29 November 2016, 08:48

Originally posted by Netraider View Post

When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" ...

The ^.* matches preceding garbage. For the trailing garbage the $ would be .*$ however both are redundant to your purpose and can be omitted.

The (.+) matches to end of line and not just the desired string ~~and the () are redundant in that context anyway~~. Probably you want to match for a string bounded by quotes and not itself including quote char, e.g. "[^"]*"

Add a leading (^| ) if matching on othersrccountry="..." would be bothersome.

In the shell, 'single quotes' saves from having to use backslash escapes.

Code:

$ cat test.dat
date=2016-11-26 time=17:03:26 devname=XXXXX3X15013159 devid=XXXXX3X15013159 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=xx.xx.xx.xx srcport=4927 srcintf="wan" dstip=xxx.xxx.xxx.170 dstport=23 dstintf="root" sessionid=2417401 proto=6 action=deny policyid=0 policytype=local-in-policy dstcountry="United Kingdom" srccountry="United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical

$ grep -Eo "srccountry=\"[^\"]*\"" test.dat
srccountry="United Kingdom"

$ grep -Eo 'srccountry="[^"]*"' test.dat 
srccountry="United Kingdom"

Regular Expressions