This is my string:
msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery:Announcement: Holiday Tomorrow
The string above is a log line. I want to find the 3rd colon and match everything after it. The Announcement: Holiday Tomorrow
is a subject title so I can have a colon or not.
I tried this so far
[^:]+$ // Holiday Tomorrow
(?<=:).*$ // Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery:Announcement: Holiday Tomorrow"
I will be using the regex in my logstash config.
grok {
match {
"msg" => "(regex here)%{GREEDYDATA:subject}"
}
}
Try this (but I don't know anything about lagstash):
(?:.+?:){3}(.*)
capture group 1 will have what you want
Skip past 3 .+:
's and capture the rest.
Gave up on regex in logstash for this particular log. Instead I modified my log/String to have a "Subject - " part instead. so logstash config can be simple From this
msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery: Subject - Announcement: Holiday Tomorrow
To this
msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery: Subject - Announcement: Holiday Tomorrow
grok {
match {
"msg" => "Subject - %{GREEDYDATA:headerSubject}"
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.