sample line:
SOMETEXTBEFORE... UserName=jsmith, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interfaces CmdArgAV=Port-Channel1 CmdArgAV= ], Protocol=Tacacs, MatchedCommandSet=AllowAllCommands, SOMETEXTAFTER...
what I'm hoping to do is pull from the above:
message = entire string above so GREEDYDATA...
add "username" = jsmith
add "command" = show running-config interfaces Port-Channel1
so... I'm pretty sure I could get the username... with
%{GREEDYDATA}UserName=%{WORD:username},
but how do I remove all the "CmdArgAV=" ect... there will be anywhere from 1 to many "CmdArgAV" depending on what command the user ran... they can run "who" and there's only 1 instance or they can run what I did and there's 4 of them...
thoughts or suggestions appreciated.
thanks,
Lee