I'm trying to figure out better way of doing regex for a data like below
Protocol: TCP, SrcIP: 1.2.3.4, OriginalClientIP: ::, DstIP: 5.6.7.8, SrcPort: 1234, DstPort: 678, TCPFlags: 0x0, DE: some engine (6xxxxxe-a010-11e7-b61b-xxxxxxx), Policy: my-home-policy, ConnectType: End, AccessControlRuleName: AB-CD-EFG, AccessControlRuleAction: Allow, Prefilter Policy: AB-CD-EFG, UserName: User A, InitiatorPackets: 4, ResponderPackets: 2, InitiatorBytes: 288, ResponderBytes: 148, NAPPolicy: AB-CD-EFG-Analysis-Policy, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Highly Risky
I was looking to split this into key-value pairs, so it becomes
Protocol=TCP
OriginalClientIP=""
UserName="User A"
So the key-value split is :\s
and .*
until it finds a comma
.
(?<key>\w+):\s+(?<value>.*?)(\,|$)
Above regex works in regex101, but not in transforms.conf . Or put in more precisely, the value
is not getting assigned to the key
What exactly does your transforms.conf look like?
Should be something like:
[<stanzaname here>]
REGEX = (\w+):\s+([^,]*)(?:,|$)
FORMAT = $1::$2
And why not simply use:
DELIMS = ",", ":"
What exactly does your transforms.conf look like?
Should be something like:
[<stanzaname here>]
REGEX = (\w+):\s+([^,]*)(?:,|$)
FORMAT = $1::$2
And why not simply use:
DELIMS = ",", ":"
DELIMS did the trick. thanks for the idea
thanks for your DELIMS
suggestion. I will try that out
(The transforms looks like what you mentiond. I have seen in other posts that we might need to put double quotes over FORMAT. so something like FORMAT = "$1": $2
. I will try both of them anyway.
Looking at the transforms.conf documentation, it should be just FORMAT=$1::$2
.