Ubuntu: Regex to find word 1 or word 2 but not word 3


I have the following message:

Apr 12 12:48:02 poe true: sudo: nagios : command not allowed ; TTY=unknown ; PWD=/var/log/nagios;

How do I make a regex that looks for the word Sudo or Command but not to look for the word true? Reason being I have other messages that have just the words sudo and command and i'm not interested in viewing the messages with the combination of those 2 words with that 3rd word. I have so far tried:

1.(?=.*word1)(?=.*word2) 2. word1.*word2

Both of them failed to exlcude the word that I don't want. Basically I want the resultant set to not consist of those messages that would have word3 along with word1 and word2 but want the resultant set to have either word1 or word2.


(Added from comment)

<30>Jun 11 12:42:02 true:/var/ossec/logs/alerts/alerts.log Apr 12 12:48:01 duffy sudo: nagios : command not allowed ; TTY=unknown ; PWD=/var/log/nagios;   <85>Apr 11 12:00:46 verne sudo: ndakjs2 : TTY=pts/0 ; PWD=/Defactor/2/rules/claimsfactor ; USER=NONE; COMMAND   

If you take both that above messages, I want the regex to match the second message since it has the word sudo in it, but not match the first message as it has the word true in it. I'm only interested in the resultant set without the word TRUE. Although that 1st message has Sudo, I don't want that message.


You're asking for this


The thing (?!...) is a negative look-ahead operator which checks if any word exists. Check it here http://rubular.com/r/aYzwcfekrI

Credit goes to this SO question.

You can also just use a regular program to check if it contains the word true.

Assuming lines is an array of log messages, it would be something like this

lines.each do |line|    puts line unless line.include?("true")  end  

Hope this helps.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »