RegEx Examples

Regular Expression Examples

Text Log Extractions

Multi-Line

^2013-01-16.{1,}16:[0-9]{2}:[0-9]{2}.+\)\x0AUSER:\s000000\x0Afinished\s.+ACCESS\sDENIED\x0a$

Breakdown:

^   Start Multi-line pattern

2013-01-16.{1,}16:[0-9]{2}:[0-9]{2}   Date stamp
.+   any character 1 or more times
\)   specific character ) could use \x29 or \051
\x0A  New line could be \n
USER:   beginning of next line starts with USER:
\s   There's white space
000000  looks for specific number sequence
\x0A  New line could be \n
finished   beginning of next line starts with finished
\s   There's white space
.+   any character 1 or more times
ACCESS\sDENIED   finds `ACCESS DENIED`
\x0A   New line could be \n
$   end of multi-line pattern

To get the UID, token and action that was denied:

^(USER:\s)([0-9]{6})(\r\n|\n)(.+tokenName=)(([A-Z]{2}[0-9]{2,3}\.[0-9]{1})|([A-Z]{2}[0-9]{2,3}))(.+actionCode=)([A-Z]{1})(:.+DENIED)$
Collect: $2,$5,$9\n
will return:        000000,GL124,I

How it works:
^ starts the multi-line pattern
(USER:\s) looks for the user
([0-9]{6}) gets the UID
(\r\n|\n) looks for the line break
(.+tokenName=) looks for the token
(([A-Z]{2}[0-9]{2,3}\.[0-9]{1})|([A-Z]{2}[0-9]{2,3})) gets the token
(.+actionCode=) looks for the action
([A-Z]{1})gets the action
(:.+DENIED) filters only the DENIED messages
$ ends the multi-line string