This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
jayakrishnan_p1
Absent Member.
Absent Member.
‎2014-12-18 06:44
303 views

Help : Need Regex Mapping

Hi,

Can anyone help to write Regex Mapping for below events.

2014-05-02 00:56:15,678 [http-localhost%2F127.0.0.1-9300-13] INFO  com.hp.ov.cr.auth.cognos.ErsAuthenticationProvider  Internal logon request with User: ErsAdmin

2014-05-02 00:56:15,881 [http-localhost%2F127.0.0.1-9300-13] INFO  com.hp.ov.cr.auth.cognos.ErsAuthenticationProvider  User ErsAdmin logged off.

2014-05-02 00:56:15,881 [http-localhost%2F127.0.0.1-9300-5] INFO  com.hp.ov.cr.auth.cognos.ErsAuthenticationProvider  logon request from NNMi trusted User: opcprado, Role: level1, UserGroups: level1

2014-05-02 01:02:00,585 [http-localhost%2F127.0.0.1-9300-13] INFO  com.hp.ov.cr.auth.cognos.ErsAuthenticationProvider  User opcprado logged off.

There are 3 events above.

I would like map it as three columns.

Eg: deviceReceiptTime  (eg: 2014-05-02 00:56:15,678)

Action  (eg: [http-localhost%2F127.0.0.1-9300-13] INFO  com.hp.ov.cr.auth.cognos.ErsAuthenticationProvider  Internal logon request with User)

UserName (eg: ErsAdmin)

There is UserName in each event. I need to fetch that mainly.

Please help.

Thanks & Regards

Jayakrishnan

0 Likes
Reply
Report Inappropriate Content
2 Replies
smazhar
Commodore
Commodore
‎2014-12-18 07:02

Hi,

Check with the below regex to capture 3 fields

(\d+)\-(\d+)\-(\d+) (\d\d:\d\d:\d\d),(\d+) \[http\-localhost%(\d+)F(\d+\.\d+\.\d+\.\d+)\-(\d+)\-(\d+)\] INFO  (\S+)  Internal logon request with User: (\S+)

Regards, Mazhar

0 Likes
Reply
Report Inappropriate Content
rhope
Fleet Admiral
Fleet Admiral
‎2014-12-18 23:45

You're probably going to be best served by using sub messages to parse the three different event types, the regex provided above only caters for the first event ( see slide 31 onwards in ).  If you really want to do it with a single regex the the following works though you'll need to wrap the username in an __Replace() to get rid of the comma from the third event.

^(\S+\s\S+) (\[[^]]+\]) (\S+)\s+(\S+)\s+(.*User(?::)? (\S+).*)

Properties file/Java Friendly version

"^(\\S+\\s\\S+) (\\[[^]]+\\]) (\\S+)\\s+(\\S+)\\s+(.*User(?::)? (\\S+).*)"

Produces the following captures:

Event 1

group 1: 2014-05-02 00:56:15,678

group 2: [http-localhost%2F127.0.0.1-9300-13]

group 3: INFO

group 4: com.hp.ov.cr.auth.cognos.ErsAuthenticationProvider

group 5: Internal logon request with User: ErsAdmin

group 6: ErsAdmin

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.