Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

Regex Group Name prefix multiple options

byMR
April 7, 2022

I’m performing regex extraction for parsing logs for our SIEM. I’m working with PCRE2.
In those logs, I have this problem: I have to extract a field that can be preceded by multiple options and I want use only one group name.

Let me be clearer with an example.

The SSH connection can appear in our log with this form:

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel 

UserType=SSH,

And I know that a simple regex expression to catch this is:

UserType=(?<app>.*?),

But, at the same time, SSH can appear with another "prefix":

ACCESS TYPE:SSH;

that can be captured with:

ACCESS\sTYPE:(?<app>.*?);

Now, because the logical field is the same (SSH protocol) and I want map it in every case under group name "app", is there a way to put the previous values in OR and use the same group name?

The desiderd final result is something like:

(UserType=) OR (ACCESS TYPE:) <field_value_here>

>Solution :

You can use

(?:UserType=|ACCESS\sTYPE:)(?<app>[^,;]+)

See the regex demo. Details:

  • (?:UserType=|ACCESS\sTYPE:) – either UserType= or ACCESS + whitespace + TYPE:
  • (?<app>[^,;]+) – Group "app": one or more chars other than , and ;.
byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading