in reply to Re^2: Perl Regex
in thread Perl Regex

Please define "not working". What do you expect to happen? What happens instead? Any warning or error messages?

And here is the log file format:

No, that's just some crap copied and pasted from elsewhere. Inside <code></code>, it may have been a little bit helpful, as an example, but not in this form. All of the possible whitespace characters have collapsed to a single space, due to the way HTML works. And it looks like you have editied the example, making things even worse. A proper specification of the log format would really be useful. If you don't have that, post several unmodified(!) log lines inside <code></code>. If the log comes from a well-known piece of software, tell us the name and version of that software.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Replies are listed 'Best First'.
Re^4: Perl Regex
by cipher (Acolyte) on Nov 23, 2010 at 11:12 UTC
    It's not working means I do not get any output when I print $msg, I expect it to print the actual string from log, I have mentioned this in my first post. Here is the log file inside code: 
    20 Nov 17:43:1 10 28 2010 02:18:33: date=2010-10-28 time=00:27:54 log_
+id=2 type=ips subtype=signature pri=alert fwver=040002 severity=mediu
+m carrier_ep="N/A" profile="IPS" src=X.X.X.X dst=X.X.X.X src_int="wan
+1" dst_int="internal" policyid=2 status=detected proto=17 service=143
+4/udp vd="root" count=1 src_port=111 dst_port=80 attack_id=10328 sens
+or="IPS_sensor" ref="http://www.fortinet.com/ids/VID10328" user="N/A"
+ group="N/A" incident_serialno=2004954881 msg="database: MS.SQL.Serve
+r.Resolution.Service.Stack.Overflow"

    [download]

    All other fields are matching and working fine except this one.
    I tried debugging and regex matches the string but not when I run my perl script. 
      DB<10> $msg = q(some_fields msg="http_decoder: HTTP.Unknown.Tunnelli
+ng" some_fields)

  DB<11> x $ msg
0  'some_fields msg="http_decoder: HTTP.Unknown.Tunnelling" some_field
+s'
  DB<12> x $msg =~/msg=\"(.*?)\"/         
0  'http_decoder: HTTP.Unknown.Tunnelling'

  DB<13> x $msg =~ /msg=\"+((?:([^:,]+):\s|)([^,]+?)\s*(?:\s*,.*?|))\"
++/
0  'http_decoder: HTTP.Unknown.Tunnelling'
1  'http_decoder'
2  'HTTP.Unknown.Tunnelling'

    [download]
[reply]
[d/l]
[select]
      I think this maybe because I am splitting the fields by space and there is a space after msg="database:space I am trying to match my regex on two fields. 
      20 Nov 17:43:1 10 28 2010 02:18:33: date=2010-10-28 time=00:27:54 log_
+id=2 type=ips subtype=signature pri=alert fwver=040002 severity=mediu
+m carrier_ep="N/A" profile="IPS" src=X.X.X.X dst=X.X.X.X src_int="wan
+1" dst_int="internal" policyid=2 status=detected proto=17 service=143
+4/udp vd="root" count=1 src_port=111 dst_port=80 attack_id=10328 sens
+or="IPS_sensor" ref="http://www.fortinet.com/ids/VID10328" user="N/A"
+ group="N/A" incident_serialno=2004954881 msg="database: MS.SQL.Serve
+r.Resolution.Service.Stack.Overflow"

      [download]
[reply]
[d/l]
        Yes, that is exactly where your problem is. You are not matching the whole line in the log-file, but only a part of it.

        Perhaps you have to rethink your approach and not split the log-lines by spaces, but craft individual regexes for each field.

        CountZero

        A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

[reply]

In Section Seekers of Perl Wisdom