• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.

Regular Expressions

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Regular Expressions

    I'm hoping somebody on the panel can help me. I am trying to extract some information from a log file See below for example

    date=2016-11-26 time=17:03:26 devname=XXXXX3X15013159 devid=XXXXX3X15013159 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=109.176.192.91 srcport=4927 srcintf="wan" dstip=xxx.xxx.xxx.170 dstport=23 dstintf="root" sessionid=2417401 proto=6 action=deny policyid=0 policytype=local-in-policy dstcountry="United Kingdom" srccountry="United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical
    When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" I get

    "United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical
    How do I just get the country from the Log?
    SUFTUM

    May life give you what you need, rather than what you want....

    #2
    Originally posted by Netraider View Post
    I'm hoping somebody on the panel can help me. I am trying to extract some information from a log file See below for example



    When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" I get



    How do I just get the country from the Log?
    Scanning that ip....

    Comment


      #3
      "^.*srccountry=\"(.+)\"$" should do it from memory...
      merely at clientco for the entertainment

      Comment


        #4
        Originally posted by eek View Post
        "^.*srccountry=\"(.+)\"$" should do it from memory...
        Unfortunately, the form that I enter the expression into says - Regular Expression did not match"
        SUFTUM

        May life give you what you need, rather than what you want....

        Comment


          #5
          RegExr: Learn, Build, & Test RegEx
          "If you didn't do anything that wasn't good for you it would be a very dull life. What are you gonna do? Everything that is pleasant in life is dangerous."

          I want to see the hand of history on his collar.

          Comment


            #6
            Originally posted by Netraider View Post
            Unfortunately, the form that I enter the expression into says - Regular Expression did not match"
            Originally posted by eek View Post
            "^.*srccountry=\"(.+)\"" should do it from memory...
            Yep because it's got a $ you don't need try the above
            merely at clientco for the entertainment

            Comment


              #7
              Originally posted by vetran View Post
              Cheers Veteran, I'll work through and see how I go.
              Last edited by Netraider; 27 November 2016, 18:37. Reason: Wrong poster mentioned
              SUFTUM

              May life give you what you need, rather than what you want....

              Comment


                #8
                Originally posted by Netraider View Post
                Cheers Veteran, I'll work through and see how I go.

                Comment


                  #9
                  Originally posted by mudskipper View Post
                  Scary thing is Regex is basically a superpower!

                  Many a time someone has said there is no way we can go through all that there are megabytes, Gigabytes , terabytes (depending on Decades) of log files . and a day later we have 200 lines to loOk at. I still struggle with the syntax but between Grep/awk & regex it has saved lots of situations.
                  "If you didn't do anything that wasn't good for you it would be a very dull life. What are you gonna do? Everything that is pleasant in life is dangerous."

                  I want to see the hand of history on his collar.

                  Comment


                    #10
                    Originally posted by Netraider View Post
                    When I use Regular Expression "^.*srccountry=(.+)$" to try and extract the country from "srccountry" ...
                    The ^.* matches preceding garbage. For the trailing garbage the $ would be .*$ however both are redundant to your purpose and can be omitted.

                    The (.+) matches to end of line and not just the desired string and the () are redundant in that context anyway. Probably you want to match for a string bounded by quotes and not itself including quote char, e.g. "[^"]*"

                    Add a leading (^| ) if matching on othersrccountry="..." would be bothersome.

                    In the shell, 'single quotes' saves from having to use backslash escapes.

                    Code:
                    $ cat test.dat
                    date=2016-11-26 time=17:03:26 devname=XXXXX3X15013159 devid=XXXXX3X15013159 logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=xx.xx.xx.xx srcport=4927 srcintf="wan" dstip=xxx.xxx.xxx.170 dstport=23 dstintf="root" sessionid=2417401 proto=6 action=deny policyid=0 policytype=local-in-policy dstcountry="United Kingdom" srccountry="United Kingdom" trandisp=noop service="TELNET" app="Console Management(Telnet)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=critical
                    
                    $ grep -Eo "srccountry=\"[^\"]*\"" test.dat
                    srccountry="United Kingdom"
                    
                    $ grep -Eo 'srccountry="[^"]*"' test.dat 
                    srccountry="United Kingdom"
                    Last edited by Contreras; 29 November 2016, 23:43.

                    Comment

                    Working...
                    X