-1

Below are the DNS Sample logs where i need to write a regex to capture the Hostname "Renju123". The log format structure is little different on both samples.

The log samples are given below:

"2018-12-12 13:25:30","Renju, Jacob,M(renjutest)","Renju, Jacob, M (rtest),Renju123,Default Site,Test/firewall","10.221.5.136","XXX.XXX.XXX.XXX","Allowed","16 (A)","NOERROR","1XX.1X.1XX.1XX.Test.com.","Computer Security"

"2018-12-12 13:09:55","rtest","Renju123,Default Site,Renju Renju/Renju","10.250.33.85","XXX.XXX.XXX.XXX","Allowed","12 (PTR)","NOERROR","1XX.1X.1XX.1XX.Test.com.","Software/Technology"

The regex which i used is only capturing the first log hostname

(?P(?<=),).*?(?=,.?Default)) link here

But i would like to have a single regex to capture HostNames (Renju123) from both the sample logs

List 25
  • 33
  • 5

1 Answers1

1

What you might do (according to the comments) is match a double quote or a comma 1+ times using [",]+ and then capture in a group matching 1+ word characters. Then ,Default follows so that you could match again:

Your match will be in the HostName group.

[",]+(?P<HostName>\w+),Default

Regex demo

If your hostname starts with a word character, you could use lookarounds and a word boundary \b

(?<=[,"])\b(?P<HostName>\w+)(?=,Default)

Regex demo

The fourth bird
  • 154,723
  • 16
  • 55
  • 70
  • @ The fourth bird --Thanks for the regex. You regex worked like a charm. But i would like a small tweak. Would it be possible to negate Renju Test/Firewall from capturing. Below sample log is given. Also the link-- https://regex101.com/r/vpB3RH/3 "2018-12-12 14:29:49","Default Site","Renju Test/Firewal,Default Site","10.250.33.8","1XX.1X.1XX.1XX.Test.com","Allowed","28 (AAAA)","NXDOMAIN","targets.","" – List 25 Dec 12 '18 at 15:06
  • @List25 You could match 1+ wordcharacters instead `[",]+(\w+),Default` to not match the space and the forward slash [demo](https://regex101.com/r/vpB3RH/4) If you want to allow more than `\w` you could use a [character class](https://www.regular-expressions.info/charclass.html) and specify what you would allow to match. – The fourth bird Dec 12 '18 at 15:22
  • @ The fourth bird can you help me in updating the regex on your second one. Please see the demo-- https://regex101.com/r/vpB3RH/6 – List 25 Dec 12 '18 at 15:43
  • @List25 You could also match 1+ word characters instead of the negated character class `(?<=[,"])\b(?P\w+)(?=,Default)` [Demo](https://regex101.com/r/vpB3RH/7) Shall I update my answer with these regexes? – The fourth bird Dec 12 '18 at 15:48
  • @List25 I have updated my answer with the last 2 regexes. – The fourth bird Dec 12 '18 at 16:18
  • Thanks for the help. Can we negate charater "/" but would need to capture the hostname if its contains Renju-123 but should not capture "Renju Test / Firewall "https://regex101.com/r/vpB3RH/8 – List 25 Dec 12 '18 at 16:18
  • @List25 like this? https://regex101.com/r/vpB3RH/9 You can add to the character class what you want to match. – The fourth bird Dec 12 '18 at 16:31
  • @List25 You could use a negated character class but then you have to specify what you do not allow to match like https://regex101.com/r/vpB3RH/10 – The fourth bird Dec 12 '18 at 17:03