Forum Discussion
sam_111661
Nimbostratus
Nimbostratusfindstr
Suppose I have data that contains the following:
randomcharacetrs... str=mystring1 str=mystring2 randomcharacetrs...
Is there a way I could store mystring1 and mystring2 into variables using findstr or any other function? mystring1 and mystring2 can have different number of characters
I'm able to find the first one with findstr function but is there a way I can get both? [findstr "str=" 4 " "]
Thanks in advance
hooleylistCirrostratus
Based on the info you've provided so far, the only option I can think of is to use a regex which matches anything after str= up to a space:when RULE_INIT { set ::sample_input_string {random characters... str=mystring1 str=mystring2 random characters...} log local0. "Sample input string: $::sample_input_string" get the str=chars from the original string set ::matches [regexp -inline -all {str=[^ ]+} $::sample_input_string] log local0. "\$::matches: $::matches" loop through each str= and parse the values foreach ::str [split $::matches] { log local0. "\$::str = $::str, value = [getfield $::str "=" 2]" } }
Log output:
Rule : Sample input string: random characters... str=mystring1 str=mystring2 random characters...
Rule : $::matches: str=mystring1 str=mystring2
Rule : $::str = str=mystring1, value = mystring1
Rule : $::str = str=mystring2, value = mystring2
It might be possible to do this with string operations as well, but that is more dependent on the input forms. Can you provide a few more samples of the input?
Will the random characters always be the same length? Will the strings you want to match (str=mystring1 str=mystring2) always be next to each other, separated only be a space?
Aaron
sam_111661Thanks Aaron, the output are LDAP attributes and the str is a multivalued attribute, the output looks like this
ldap:attr:attr1 value1 ldap:attr:attr2 value21 ldap:attr:attr2 value22 ldap:attr:attr3 value3 .... etc
And I'm looking for the value21 and value22
The random characters at the beginning and the end are different in length, the two requested attributes are always next to each other- hooleylistSo is it the values for attr2 and attr3 that you're looking for?
Aaron - sam_111661I'm looking for value21 and value22, these are different values for the same attribute ldap:attr:attr2
Thanks - hooleylistSorry, I missed that the attr number was the same. So will the sample text always have the ldap attribute names and values separated by white space? If so, something like this should work:
when RULE_INIT { set ::sample_input_string {ldap:attr:attr1 value1 ldap:attr:attr2 value21 ldap:attr:attr2 value22 ldap:attr:attr3 value3 .... etc} log local0. "Sample input string: $::sample_input_string" Get the "attribute attribute_value" from the original string set ::matches [regexp -inline -all {ldap:attr:attr2\s[^\s]+} $::sample_input_string] log local0. "\$::matches: $::matches" Loop through each list item and parse the value foreach ::str $::matches { log local0. "\$::str=$::str, value=[lindex $::str 1]" } }
Rule : Sample input string: ldap:attr:attr1 value1 ldap:attr:attr2 value21 ldap:attr:attr2 value22 ldap:attr:attr3 value3 .... etc
Rule : $::matches: {ldap:attr:attr2 value21} {ldap:attr:attr2 value22}
Rule : $::str=ldap:attr:attr2 value21, value=value21
Rule : $::str=ldap:attr:attr2 value22, value=value22
Aaron