I have a log format that contains KEY/VALUE pairs in this format:
Feb 10 12:02:38 192.168.56.101 Feb 10 12:02:37 PROMETHEUS/192.168.56.101 THOR: Info: MODULE: UserAccounts MESSAGE: User Account USER: trinity FULL_NAME: trinity PRIV: 1 LAST_LOGON: 03/02/2014 13:52:38 BADPWCOUNT: 0 LOGON_SERVER: \\* NUM_LOGONS: 8 PASS_AGE: 78.00 days
The thing is, that the values are terminated by the next key, so the extraction would be:
(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) [A-Z_]+:
The problem I face is that it only extracts the first, third, fifth, seventh ... key/value pair as it skips the following key as part of the first extraction.
Is there a way to handle this?
According to RegExr, this should work:
(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) (?=[A-Z_]+:)
It matches the next key without including it in the result.
According to RegExr, this should work:
(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) (?=[A-Z_]+:)
It matches the next key without including it in the result.
I changed it a bit so that it also includes the last key/value pair (?<KEY_1>[A-Z]+): (?<VAL_1>.*?)(?=(\s[A-Z]+:)|$)
Awesome. This works. Thanks
No. There are more than 40 different formats. I use to extract them separately by specific extraction rules and would like to extract all by a single rule. i.e. what I normally do is "DOMAIN: (?
Are the keys always the same and in the same order?