-1

I'm building an extractor in Graylog to pull tac_plus syslog data.

I have a log:

<70>Oct 13 10:10:05 auth tac_plus[17354]: 2015-10-13 10:10:05 -0500#01110.10.89.1#011jmartinez#011tty132#01110.10.1.27#011stop#011task_id=146#011timezone=CDT#011service=shell#011start_time=1444747732#011priv-lvl=15#011cmd=show running-config <cr>

I want to extract the indvidual statements between the #011 markers. I was able to get the first section, the IP with:

(?<=#011)(.*?)(?=#011)

Now I want to extract the 'jmartinez'. I'm trying:

#011.*?#011(.*)(#011)

but it matches:

jmartinez#011tty132#01110.10.1.27#011stop#011task_id=146#011timezone=CDT#011service=shell#011start_time=1444747732#011priv-lvl=15

if i do:

#011.*?#011(.*)(#011tty)

it seems to work but i'd rather it not rely on seeing #011tty because it might be something else in another message.

what about the next one? how can I extract tty132, 10.10.1.27, stop, task_id=146, etc

any help would be greatly appreciated!

Jose Martinez
  • 1
  • 2

1 Answers1

0

The simple answer is to use a reluctant quantifier (just like your working IP capture):

#011.*?#011(.*?)#011

But I would go further and capture all groups at once, eg:

#011(.*?)#011(.*?)#011(.*?)#011(.*?)#011(.*?)#011(.*?)#011
Bohemian
  • 412,405
  • 93
  • 575
  • 722
  • Good god. I swear I tried that. I can't capture them all at once but this helps me greatly! Thank you! – Jose Martinez Oct 13 '15 at 16:05
  • @Jose just remember that `.*` gobbles up everything it can but still match. Actually, it consumes everything to the end of the input, then back-tracks until it the following term matches something. – Bohemian Oct 13 '15 at 16:10