RegEx - Finding strings when another substring not present
-
I am trying to parse an IIS log in Notepad++ so that it returns the From address when the log line does not contain OutboundConnectionCommand.
2023-03-07 01:30:24 1.2.3.4 OutboundConnectionCommand SMTPSVC1 SERVER01- 0 MAIL - FROM:<any_name@abc.com>+SIZE=933660 0 0 4 0 141 SMTP - - - - 2023-03-07 01:30:24 1.2.3.4Server02.abc.com SMTPSVC1 SERVER01 1.2.3.4 0 MAIL - +FROM:<any_name@abc.com> 250 0 60 47 0 SMTP - - - -I want to return
From:<any_name@abc.com>if OutboundConnectionCommand does not exist in the line. I assume I would have to use a negative lookbehind, but I cannot quite get the command correct.
Tried this in regex101.com but it looks like it matches both From: strings:
FROM:.*>(?<!\bOutboundConnectionCommand\b) -
Probably this matches what you want?:
Find:
(?-is)^(?!.*OutboundConnectionCommand).*?FROM:<any_name@abc\.com>
Search mode: Regular expression -
@Alan-Kilborn
Thanks for the RegEx. We are getting closer to what I would like. I tried your solution and it successfully selects the entire line. I apologize that I did not include the entire situation. The IIS log tells of all the emails that come into it and get sent out. So, for each email, there will be an incoming and an outgoing entry. Before, I was just extracting the email addresses, but I realized that I was double counting the email addresses (incoming and outgoing). So, I figured I would try and extract the email addresses on all lines that had OutboundConnectionCommand (the emails that are leaving IIS) and try and extract the email address between the FROM:< and the ending >. Can NotePad++, using RegEx (I assume), find the line as you noted in your reply, extract the email address between FROM:< and > ?I would assume that the replace line would be something along the lines of \r\n<regex of email address>\r\n so then I can apply the bookmarking of that line that would then facilitate me removing all unmarked bookmarks.
-
I have figured out how to find the line I want using:
(?=.*\bOutboundConnectionCommand\b)(?=.*FROM)Now I just need to extract the email between the < and >
-
@Zeff-Wheelock-0 said in RegEx - Finding strings when another substring not present:
extract the email addresses on all lines that had OutboundConnectionCommand
This is different in a big way from your original request.
Evolving needs tends to confuse those offering help…
But it appears you are well on your way to solving your own problem, so that’s great! -
@Alan-Kilborn
I apologize for that. After seeing your answer, I realized that I probably needed to add more context than the original ask.I have tried:
(?=.*\bOutboundConnectionCommand\b)(?=.*FROM)(?<=\<).*(?=\>)But it seems to select the entire line. Am I close?
-
I’ve sort of lost track of what the full need is, but I think you can match the entire line with the email address into capture group 1 with:
Find:
(?-is)^.*?OutboundConnectionCommand.*?FROM:<(.+?)>.*Then you might replace with
${1}?Again, a lot of info, so I can’t really pick off what is needed.
-
@Alan-Kilborn
Unfortunately, that just blanked out the whole line. I am trying to match any line that contains the bolded content and get the email address within the Less Than/Greater Than delimiters:2023-03-07 01:30:24 1.2.3.4 OutboundConnectionCommand SMTPSVC1 SERVER01- 0 MAIL - FROM:<return_email_address_between_delimiters@abc.xyz>+SIZE=933660 0 0 4 0 141 SMTP - - - -
Thanks for helping me out!
-
@Zeff-Wheelock-0 said in RegEx - Finding strings when another substring not present:
that just blanked out the whole line
Hmm, my testing shows that it replaces the line with ONLY the email address.
get the email address
But we don’t know what this means.
Maybe your goal isn’t replacement in the original file…If you literally mean you just want a copy of the email addresses that match the criteria you’ve previously outlined, I’d suggest a Mark operation followed by a Copy Marked Text operation followed by a paste (somewhere else).
Find:
(?-is)^.*?OutboundConnectionCommand.*?FROM:<\K.+?(?=>)Press Mark All.
Press Copy Marked Text.
Move to new tab; paste:
-
@Alan-Kilborn
Thanks! I had the previous version of Notepad++. Upgraded to the new version and your solution worked flawlessly and fast! Thanks for the help! -
@Zeff-Wheelock-0 said in RegEx - Finding strings when another substring not present:
I had the previous version of Notepad++. Upgraded to the new version
I don’t think an upgrade had anything to do with it, but it is good that you have some satisfaction!
-
The
\Koperator for forgetting all the text found so far is really cool and I’m glad I learned about it. -
@Mark-Olson said in RegEx - Finding strings when another substring not present:
The \K operator for forgetting all the text found so far is really cool and I’m glad I learned about it.
Not strictly necessary for the above, though.
If this wasn’t an “evolved” solution I probably wouldn’t have used it.
But it was a matter of “where are we now”…ok…CANCEL with\K! -
@Alan-Kilborn just adding that the version that I was using did not have the option in Mark to Copy Marked Text. I was one version behind. Upgrading Notepad++ gave me that option.
