'Regex Group Name prefix multiple options

I'm performing regex extraction for parsing logs for our SIEM. I'm working with PCRE2. In those logs, I have this problem: I have to extract a field that can be preceded by multiple options and I want use only one group name.

Let me be clearer with an example.

The SSH connection can appear in our log with this form:

UserType=SSH,

And I know that a simple regex expression to catch this is:

UserType=(?<app>.*?),

But, at the same time, SSH can appear with another "prefix":

ACCESS TYPE:SSH;

that can be captured with:

ACCESS\sTYPE:(?<app>.*?);

Now, because the logical field is the same (SSH protocol) and I want map it in every case under group name "app", is there a way to put the previous values in OR and use the same group name?

The desiderd final result is something like:

(UserType=) OR (ACCESS TYPE:) <field_value_here>

regex regex-group

Solution 1:^[1]

You can use

(?:UserType=|ACCESS\sTYPE:)(?<app>[^,;]+)

See the regex demo. Details:

(?:UserType=|ACCESS\sTYPE:) - either UserType= or ACCESS + whitespace + TYPE:
(?<app>[^,;]+) - Group "app": one or more chars other than , and ;.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Wiktor StribiÅ¼ew

'Regex Group Name prefix multiple options

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]