Home/ Questions/Q 5937927
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T15:36:42+00:00

I’m extracting the events ending with Windows LogonIDs… this means like: Special Privileges assigned

  • 0

I’m extracting the events ending with Windows LogonIDs… this means like:

Special Privileges assigned to a new Logon: Logon Id: 0x007d

I thought this is the best way to do it:

^(?<event>.+)(?<=ID:\s\d+x[A-F\d]+)$

Using RegexOptions.RightToLeft to start the search from the End of the String.

Using lookbehind so If the {ID: LogonId} didn’t exists it will fail as fast as it can.

As I can’t find any good Right To Left tester I’m here, asking for your help.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Can you get the position of the match? In Perl, one could do:

    if ($str =~ /ID:\s\d+x[A-F\d]+$/i)
   say substr($str, 0, $-[0]);  # $-[0] is the starting pos of the match.
}

    or

    if ($str =~ /ID:\s\d+x[A-F\d]+$/ip)
   say ${^PREMATCH};
}
    • 0