I'm extracting the events ending with Windows LogonIDs... this means like:
Special Privileges assigned to a new Logon: Logon Id: 0x007d
I thought this is the best way to do it:
^(?<event>.+)(?<=ID:\s\d+x[A-F\d]+)$
Using RegexOptions.RightToLeft to start the search from the End of the String.
Using lookbehind so If the {ID: LogonId} didn't exists it will fail as fast as it can.
As I can't find any good Right To Left tester I'm here, asking for your help.
Can you get the position of the match? In Perl, one could do:
if ($str =~ /ID:\s\d+x[A-F\d]+$/i)
say substr($str, 0, $-[0]); # $-[0] is the starting pos of the match.
}
or
if ($str =~ /ID:\s\d+x[A-F\d]+$/ip)
say ${^PREMATCH};
}