Decoder for different logs

[R]

Hi all. I have a problem writing a decoder for events with different data. For example (not the entire event and not the entire decoder are specified here, only some fields):

event_type:alert, src_ip:104.156.155.14, src_ip_type:external, src_port:51671, src_country:USA, src_country_code:US

Decoder that  match's for this event is:
<regex>event_type:(\.+), src_ip:(\.+), src_ip_type:(\.+), src_port:(\.+), src_country:(\.+), src_country_code:(\.+)</regex>
<order>event_type,src_ip,src_ip_type,src_port,src_country,src_country_code</order>

But if event doesn't contain some of data for emample:

event_type:alert, src_ip:192.178.198.10, src_ip_type:local, src_port:4444, src_country:, src_country_code:

This decoder is not working.

Question is what expression should be used for fields that do not contain data

[Md. Nazmur Sakib]

Hi User,

If your logs have these differences

src_country:USA,

src_country:,

You should write a regex like this

src_country:(\.*),

* is defined as zero or more times whereas + is defined as one or more times.

Ref: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

If you still have issues, please share some full sample logs and the decoder so that I can test it in my lab and share the findings.