Regex: need an alternative for positive lookbehind

Question

I have a regex that searches for IP addresses in a log file. I am using positive lookbehind for this. I want to get IP addresses in a line that contains phpExecution. My regex is

(?<=.*sqlExecution.*"ip":")[^"]+

The problem is that the log analyzing tool that we are using (graylog) does not support lookbehinds. This regex works in VSCode search and online regex testers. But in the graylog, it does not work.

is there any alternative for this regex without the lookbehind?

Sample log line:

<200> Nov 16 14:36:10 phpExecution INFO: Php Execution {"ip":"33.333.333.33","workspace":"gasqazvin","timeZone":"2019-11-16 14:11:10","usrUid":"","action":"phpExecution","filename":"/var/www/html/pm/shared/sites/work/public/1244635345345/23425452.php","url":"/syswork/fa/modern/1244635345345/23425452.php?"}

It's not just IP field, I have to do it for all the fields, like workflow, timezone, ... . So it might not be just digits.

Answer 1

You could try this pattern phpExecution.+"ip":\s*"([^"]+)

Explanation:

phpExecution - match phpExecution literally

.+ - 1+ of any chars

"ip": - match "ip": literally

\s* - 0+ of whitespaces

"([^"]+) - match " literally, then 1+ chars other from " and store it in first capturing group - this will be your desired value

Note that you can put any field name in place of ip.

Demo

Answer 2

Here a solution:

\"ip\":\"([^\"]+)\".+\"action\":\"phpExecution\".+

With the following assumption: phpExecution is always after the IP address in the JSON

Demo: https://regex101.com/r/6rJcia/1

Note that I would suggest to use a JSON parser for this job.