I am trying to write a REGEX for anything which has parenthesis, hyphens and spaces.
The strings I have look like
Jan 29 06:32:56 172.16.23.26 Jan 29 06:30:27 : CEF:0|ABCD Networks|NAC-VM-C|8.6.2.1203|-1|IP Address Update|1|rt=Jan 29 06:30:27 877 EST cat=EndStation src=10.10.14.58 smac=FA:39:71:6F:B3:43 shost=iPhone cs1Label=Physical<space>network<space>location cs1=AMNYPARU535A-FL37-VIP ROLE mobile msg=Adapter FA:39:71:6F:B3:43 IP Address changed from 10.10.14.53 to 10.10.14.58
Jan 28 21:22:51 172.16.23.26 Jan 28 21:20:24 : CEF:0|ABCD Networks|FortiNAC-VM-C|8.6.2.1203|-1|IP Address Update|1|rt=Jan 28 21:20:24 110 EST cat=EndStation src=10.3.38.61 smac=EA:19:49:37:10:73 shost=TsutomunoiPhone cs1Label=Physical<space>network<space>location cs1=APTOKARU535A-VIP ROLE mobile msg=Adapter EA:19:49:37:10:73 IP Address changed from 100.64.241.38 to 10.3.38.61
Jan 29 10:52:59 172.16.23.26 Jan 29 10:50:30 : CEF:0|ABCD Networks|NAC-VM-C|8.6.2.1203|303067011|Rogue Connected|1|rt=Jan 29 10:50:30 523 EST cat=EndStation smac=42:DE:D8:19:D2:69 cs1Label=Physical<space>network<space>location cs1=EUPARARU535A [10.2.32.198]-VIP ROLE registration msg=Rogue Host 42:DE:D8:19:D2:69 Connected to EUPARARU535A [10.2.32.198]-VIP ROLE registration.
My objective is to get anything after cs1= till the msg field. I have tried the regex but couldn't progress any further:
^(?:[^>\n]*>){2}\w+\s+\w+\d+\=(?P<cs_details>\w+[ -])
Fields I need to match from the above regex:
AMNYPARU535A-FL37-VIP ROLE mobile
APTOKARU535A-VIP ROLE mobile
EUPARARU535A [10.2.32.198]-VIP ROLE registration
You can use
^(?:[^>\n]*>){2}\w+\s+\w+\d+=(?P<cs_details>.*?)(?=\s*\w+=|$)
See the regex demo.
The = char is not special, you do not need to escape it.
The (?P<cs_details>.*?)(?=\s*\w+=|$) part matches any zero or more chars other than line break chars, as few as possible with .*? (capturing this value into the cs_details group) that are immediately followed with zero or more whitespaces, then one or more word chars and then a =, or that are at the end of the string.