Support Questions

ask_bill_brooks · ‎03-11-2020

Below is the text and I need to write the regular expression so that I can extract attribute from this field.

2017-04-27 09:07:20.517342 10.69.1.138 -> 10.69.1.100 <4>Apr 27 03:37:13 kernel: [ 78.294310] TS|4294745280|00:14:5a:03:29:33|RSSI_BCN|34

timestamp:2017-04-27 09:07:20.517342

source_ip:10.69.1.138

dest_ip:10.69.1.100

mac:00:14:5a:03:29:33

obm:RSSI_BCN

dbm:34

How can I write the regex sothat I can collect each of the field from the text?

stevenmatison · ‎03-12-2020

I know some other people with big time Regex Skills can map it differently but the method I use it to get single values using strategic wildcard like searches in ReplaceText like:

timestamp : ([0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1]) (2[0-3]|[01][0-9]):([0-5][0-9]):([0-9]{2}).([0-9]{6})) .*

source_ip : .* (.*) -> .*

dest_ip : .* -> (.*) <.*

Mac : ^.*] TS\|[0-9]{10}\|([a-fA-F0-9:]{17}|[a-fA-F0-9]{12})\|.*$

dbm : ^.*\|(.*)$

I also test using a regex tester like this one: REGEX

View solution in original post

DarkStar · ‎03-12-2020

Hello Steve,
Thanks for your answer. Don't know why your provided answer is not working in my case. But I solved it in another way which I am sharing here for others
timestamp : ([0-9]{4})-([0-1][0-9])-([0-3][0-9])\s([0-1][0-9]|[2][0-3]):([0-5][0-9]):([0-5][0-9]).(\d*)

source_ip : (?:[0-9]{1,3}\.){3}[0-9]{1,3}

Mac : ([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})
dbm : (\d*)\z

Thanks!