• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Regular Expressions

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Regular Expressions

    I'm hoping somebody on the panel can help me. I am trying to extract some information from a log file See below for example

    date=2016-11-26 time=17:03:26 devname=XXXXX3X15013159 devid=XXXXX3X15013159 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=109.176.192.91 srcport=4927 srcintf="wan" dstip=xxx.xxx.xxx.170 dstport=23 dstintf="root" sessionid=2417401 proto=6 action=deny policyid=0 policytype=local-in-policy dstcountry="United Kingdom" srccountry="United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical
    When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" I get

    "United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical
    How do I just get the country from the Log?
    SUFTUM

    May life give you what you need, rather than what you want....

    #2
    Originally posted by Netraider View Post
    I'm hoping somebody on the panel can help me. I am trying to extract some information from a log file See below for example



    When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" I get



    How do I just get the country from the Log?
    Scanning that ip....

    Comment


      #3
      "^.*srccountry=\"(.+)\"$" should do it from memory...
      merely at clientco for the entertainment

      Comment


        #4
        Originally posted by eek View Post
        "^.*srccountry=\"(.+)\"$" should do it from memory...
        Unfortunately, the form that I enter the expression into says - Regular Expression did not match"
        SUFTUM

        May life give you what you need, rather than what you want....

        Comment


          #5
          RegExr: Learn, Build, & Test RegEx
          Always forgive your enemies; nothing annoys them so much.

          Comment


            #6
            Originally posted by Netraider View Post
            Unfortunately, the form that I enter the expression into says - Regular Expression did not match"
            Originally posted by eek View Post
            "^.*srccountry=\"(.+)\"" should do it from memory...
            Yep because it's got a $ you don't need try the above
            merely at clientco for the entertainment

            Comment


              #7
              Originally posted by vetran View Post
              Cheers Veteran, I'll work through and see how I go.
              Last edited by Netraider; 27 November 2016, 18:37. Reason: Wrong poster mentioned
              SUFTUM

              May life give you what you need, rather than what you want....

              Comment


                #8
                Originally posted by Netraider View Post
                Cheers Veteran, I'll work through and see how I go.

                Comment


                  #9
                  Originally posted by mudskipper View Post
                  Scary thing is Regex is basically a superpower!

                  Many a time someone has said there is no way we can go through all that there are megabytes, Gigabytes , terabytes (depending on Decades) of log files . and a day later we have 200 lines to loOk at. I still struggle with the syntax but between Grep/awk & regex it has saved lots of situations.
                  Always forgive your enemies; nothing annoys them so much.

                  Comment


                    #10
                    Originally posted by Netraider View Post
                    When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" ...
                    The ^.* matches preceding garbage. For the trailing garbage the $ would be .*$ however both are redundant to your purpose and can be omitted.

                    The (.+) matches to end of line and not just the desired string and the () are redundant in that context anyway. Probably you want to match for a string bounded by quotes and not itself including quote char, e.g. "[^"]*"

                    Add a leading (^| ) if matching on othersrccountry="..." would be bothersome.

                    In the shell, 'single quotes' saves from having to use backslash escapes.

                    Code:
                    $ cat test.dat
                    date=2016-11-26 time=17:03:26 devname=XXXXX3X15013159 devid=XXXXX3X15013159 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=xx.xx.xx.xx srcport=4927 srcintf="wan" dstip=xxx.xxx.xxx.170 dstport=23 dstintf="root" sessionid=2417401 proto=6 action=deny policyid=0 policytype=local-in-policy dstcountry="United Kingdom" srccountry="United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical
                    
                    $ grep -Eo "srccountry=\"[^\"]*\"" test.dat
                    srccountry="United Kingdom"
                    
                    $ grep -Eo 'srccountry="[^"]*"' test.dat 
                    srccountry="United Kingdom"
                    Last edited by Contreras; 29 November 2016, 23:43.

                    Comment

                    Working...
                    X