I have syslog strings, like this:
lwiod[2469]: S-1-5-21-2071757552-4033313730-2397045981-3628|0xC94F000|LOGON|STATUS_SUCCESS|10.10.19.10|10.10.42.40|COMPANY\USERNAME
lwiod[2469]: S-1-5-21-2071757552-4033313730-2397045981-3628|0xC94F000|LOGON|STATUS_SUCCESS|10.10.19.10|10.10.42.40|USERNAME@COMPANY
lwiod[2469]: S-1-5-21-2071757552-4033313730-2397045981-3628|0xC94F000|LOGON|STATUS_SUCCESS|10.10.19.10|10.10.42.40|UNKNOWN
and I have a regexp to capture everything I need, like this:
lwiod\[([0-9]+)\]: (.*)\|(.*)\|LOGON\|STATUS_(.*)\|(.*)\|(.*)\|(COMPANY\\.*|.*\@COMPANY|UNKNOWN)
What I also need that regexp to do is to give me USERNAME OR UNKNOWN in field 7 only, I don't want the COMPANY (which is an AD domain name), but I'm having trouble.
Field 1 would be S-1-5-21-2071757552-4033313730-2397045981-3628, 2 would be 0xC94F000, ... and 7 would be USERNAME or UNKNOWN.
Thanks!
Okay, I guess you could probably use something like this?
lwiod\[([0-9]+)\]: (.*)\|(.*)\|LOGON\|STATUS_(.*)\|(.*)\|(.*)\|(?:COMPANY\\)?(UNKNOWN|[^@]+)(?:@)?
From your current regex, it appears that COMPANY is as is, so I assumed same. Otherwise, I guess you can use
lwiod\[([0-9]+)\]: (.*)\|(.*)\|LOGON\|STATUS_(.*)\|(.*)\|(.*)\|(?:[^\\]*\\)?(UNKNOWN|[^@]+)(?:@)?