Account for white space in capture group

Question

I have a regex that captures the group security ID from Windows Down-Level format. It strips the domain part to only capture the ensuing ID after the "\"

Regex: Group:\s+Security\s+ID:\s+.*?\\([^ ]+)

Group:  Security ID:  CORP\VirtualUsers (match success)

However, if there is a space in the group name it does not match properly. It only matches on "VM"

Group:  Security ID:  CORP\VM Admins

How would I go about matching either scenario whether there is a space or not? Here is a link to my use case - https://regex101.com/r/gzFe0J/1

Use [`Group:\s+Security\s+ID:\s+[^\\]*\\(.+?)\s+Group Name:`](https://regex101.com/r/gzFe0J/2) if `Group Name:` always appears after that value. — Wiktor Stribiżew, Feb 15 '17 at 23:38
@WiktorStribiżew - This works but I just realized that there may be a case where "Group Name:" does not come afterward. Some WIndows logging has "Account Name:" following. See [link](https://regex101.com/r/yuoAVu/1) — Heisenberg, Feb 16 '17 at 00:44
I added one more, simple, regex solution, and adjusted the initial one. — Wiktor Stribiżew, Feb 16 '17 at 07:58

score 2 · Answer 1 · answered Feb 15 '17 at 23:43

2

In Your case it seems like Group Name always appears after Group, If so:

Use

Group:\s+Security\s+ID:\s+.*?\\(.*)Group Name

answered Feb 15 '17 at 23:43

Mithilesh Gupta

2,800
1
17
17

score 2 · Answer 2 · answered Feb 15 '17 at 23:45

2

One way could be:

Group:.+?\\\\((?:(?![ ]{2,}).)+)

See your modified example.

Explained (double backslashes are only need for Java):

Group:.+?\\\\         # looks for "Group:", anything lazily afterwards
                    # until a backslash
((?:(?![ ]{2,}).)+) # neg. lookahead, not two spaces consecutively

answered Feb 15 '17 at 23:45

Jan

42,290
8
54
79

This appears to work in all 3 of my examples [link](https://regex101.com/r/msHctQ/1) - Further testing to be performed. I really need to study my Regex constructs to improve my skills. Thanks much!!! – Heisenberg Feb 16 '17 at 00:55

Wiktor Stribiżew · Accepted Answer · 2017-02-16T07:57:36.017

Since your ID value always appears before Group Name: or Account Name: add it as right-hand context and capture all between Group: Security ID: DOMAIN\ and Group Name: / Account Name::

Group:\s+Security\s+ID:\s+[^\\]*\\(.+?)\s+(?:Group|Account)\s+Name:

See the regex demo. The [^\\]* will match zero or more chars other than \ before a \, \\ will match a \ and (.+?) will capture any 1+ chars as few as possible up to the first Group Name: or Account Name:.

If your ID can only contain spaces that are enclosed with non-spaces, you need a simple \S+(?: \S+)* pattern, no need for a tempered greedy token with lookahead:

Group:\s+Security\s+ID:\s+[^\\]*\\(\S+(?: \S+)*)

See another regex demo

See the Java demo:

String str = "<13>Jan 09 12:33:50 TESTSRV1 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.2.4.86    Source=Microsoft-Windows-Security-Auditing    Computer=corp.devnet.com    OriginatingComputer=TESTSRV1    User=    Domain=    EventID=4755    EventIDCode=4755    EventType=8    EventCategory=13826    RecordNumber=1244048130    TimeGenerated=1483983229    TimeWritten=1483983229    Level=0    Keywords=0    Task=0    Opcode=0    Message=A security-enabled universal group was changed.  Subject:  Security ID:  CORP\\TESTUSR1  Account Name:  TESTUSR1  Account Domain:  CORP  Logon ID:  0x220f7a57  Group:  Security ID:  CORP\\Virtual Users  Group Name:  VirtualUsers  Group Domain:  CORP  Changed Attributes:  SAM Account Name: -  SID History:  -  Additional Information:  Privileges:  -";
Pattern ptrn = Pattern.compile("Group:\\s+Security\\s+ID:\\s+[^\\\\]*\\\\(.+?)\\s+(?:Account|Group)\\s+Name:");
Matcher matcher = ptrn.matcher(str);
while (matcher.find()) {
    System.out.println(matcher.group(1));
}

This works and I take it that it would be less resource intensive than using the greedy token with lookahead. Would you agree? This thread will give me a good base to study the different construct techniques. I appreciate your help. — Heisenberg, Feb 16 '17 at 14:05
You understand me right: a [tempered greedy token](http://stackoverflow.com/a/37343088/3832970) is quite a resource consuming pattern. It should be unrolled to match faster. Using a quantified group is a less "expensive" way to match the strings you have. — Wiktor Stribiżew, Feb 16 '17 at 14:14

score 0 · Answer 4 · answered Feb 16 '17 at 12:28

You simply need to change your regex from:
Group:\s+Security\s+ID:\s+.*?\\([^ ]+)
to:
Group:\s+Security\s+ID:\s+.*?\\(\w+ ?\w+)
That's it.

(\w+ ?\w+) it matches one word then a single optional whitespace and then the second word that you need.

your question How would I go about matching either scenario whether there is a space or not?

With making the match as an optional match by ?

Account for white space in capture group

4 Answers4