Greetings. I am a PERL programmer (there, I've said it) who can't fight his way out of a regular-expression-wet-paper-bag. It's not that I don't understand them, they are incredibly powerful and due to my time constraints seem to be hiding from me. So I thought I would ask here.

Currently, I write code that processes text messages sent from network devices (typically SNMP traps). Recently our dear friend Cisco upgraded their VPN concentrator IOS and "fixed" a bunch of messages they had previously left inconsistent (similar messages had slight syntactical variations).

My program originally parsed the message using split in this fashion: 

   ($KEY, $DATE, $TIMESTAMP, $SEV, $LOG_NUM, $RPT, $IP_ADDR, $H1, $H2,
+ $USER, $H3, $H4, $H5, $H6, $H7, $H8, $H9, $H10, $H11, $H12, $H13, $D
+URATION) = split(/ /, $VAR2);

[download]

Now I find myself stuck because my parsing routine isn't nearly smart enough to handle the new message formats. Basically, I am looking for a regular expression technique to pick out the elements I need from the message without having to split the string in pieces (because the number of pieces now fluctuates depending on the message). Here are two sample messages (an old one and a new one) 

[2] private.enterprises.3076.2.1.4.4.15.22 (OctetString): 65479332 04/
+07/2004 04:15:21.980 SEV=4 AUTH/22 RPT=8622

User silk01 connected

[download]
Here is the new message, notice slight deviations 
[2] private.enterprises.3076.2.1.4.4.15.22 (OctetString): 1064993 04/1
+2/2004 01:02:31.890 SEV=4 AUTH/22 RPT=362

User [schk01] Group [cisco3015] connected, Session Type: IPSec

[download]

My parsing isn't flexible enough to handle the shifting data and the code administration for my current routine is ugly. Can someone suggest an alternative using regular expressions that would parse out the fields I need. In the example above, I need the user ID, the group, the status of connected and the session type. I can detect the presence of a new version message vs. an old message so I can programmatically handle them differently - I don't need a regex that handles both.

Thanks in advance, I'm a little over my head here.

20040414 Edit by BazB: Changed title from 'Regular Expressions Hate Me'

In reply to Regex for IOS messages by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.