Find a character based on position and match everything after in regex and logstash

Question

This is my string:

msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery:Announcement: Holiday Tomorrow

The string above is a log line. I want to find the 3rd colon and match everything after it. The Announcement: Holiday Tomorrow is a subject title so I can have a colon or not.

I tried this so far

[^:]+$     // Holiday Tomorrow
(?<=:).*$  //  Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery:Announcement: Holiday Tomorrow"

I will be using the regex in my logstash config.

grok {

    match {
        "msg" => "(regex here)%{GREEDYDATA:subject}"
    }

}

Answer 1

Try this (but I don't know anything about lagstash):

(?:.+?:){3}(.*) capture group 1 will have what you want

Skip past 3 .+: 's and capture the rest.

https://regex101.com/r/p2jodw/3

Answer 2

Gave up on regex in logstash for this particular log. Instead I modified my log/String to have a "Subject - " part instead. so logstash config can be simple From this

msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery: Subject - Announcement: Holiday Tomorrow

To this

msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery: Subject - Announcement: Holiday Tomorrow

grok {

 match {

 "msg" => "Subject - %{GREEDYDATA:headerSubject}"

 }

}