Home > Software engineering >  Regex Group Name prefix multiple options
Regex Group Name prefix multiple options

Time:04-08

I'm performing regex extraction for parsing logs for our SIEM. I'm working with PCRE2. In those logs, I have this problem: I have to extract a field that can be preceded by multiple options and I want use only one group name.

Let me be clearer with an example.

The SSH connection can appear in our log with this form:

UserType=SSH,

And I know that a simple regex expression to catch this is:

UserType=(?<app>.*?),

But, at the same time, SSH can appear with another "prefix":

ACCESS TYPE:SSH;

that can be captured with:

ACCESS\sTYPE:(?<app>.*?);

Now, because the logical field is the same (SSH protocol) and I want map it in every case under group name "app", is there a way to put the previous values in OR and use the same group name?

The desiderd final result is something like:

(UserType=) OR (ACCESS TYPE:) <field_value_here>

CodePudding user response:

You can use

(?:UserType=|ACCESS\sTYPE:)(?<app>[^,;] )

See the regex demo. Details:

  • (?:UserType=|ACCESS\sTYPE:) - either UserType= or ACCESS whitespace TYPE:
  • (?<app>[^,;] ) - Group "app": one or more chars other than , and ;.

Page link:https//www.codepudding.com/Softwareengineering/364381.html

Prev:Extract all the matched groups of a regular expression in a string
Next:match everything inside of * with no whitespaces
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding