- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a SINGLE event in the following format (this is only part of the log):
/root/pegaruninit: Empty file
/root/eicar: Eicar-Test-Signature FOUND
/root/.bash_history: Empty file
This is part of an Antivirus log which is a "dump" of all the locations it scanned, and any viruses or signatures that it found.
What i want to do is create a REGEX and REPORT that extracts the "Eicar-Test_Signature" from the log, and place it in a field called "virus_found".
props.conf:
REPORT-extract_virus_clamav = extract_virus_clamav
transforms.conf:
[extract_virus_clamav]
REGEX = :\s(.+?)\sFOUND
FORMAT = virus_found::$1
Problem is that it is taking the FIRST ":" and taking everything from " Empty file/root/eicar: Eicar-Test-Signature" and placing THIS in the new field.
Is there a way to call a field extraction from ONE line at a time, from a multi line event??
EG: if the REGEX does not match the ":" AND the "FOUND" in one line, it continues to look through other lines??
I hope this makes sense!
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't let your capture group include newlines and you should be ok.
REGEX = :\s([^\r\n]+)\sFOUND
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't let your capture group include newlines and you should be ok.
REGEX = :\s([^\r\n]+)\sFOUND
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect solution. Thanks!
