2 Replies Latest reply on Jan 8, 2015 2:16 PM by Yanick Girouard

    How to parse multi-line/quoted fields using a grammar file?

    Yanick Girouard

      We need to create extended objects that will return a list of Windows event logs to the live browse view (or snapshot). We found how to get the list of event logs, but the issue is that because the Message field of the event logs can have multiple lines in them, the grammar is unable to see them as a single field, even when using string qualifiers (double-quotes).


      This issue could apply to any kind of record that contains multi-line fields as well, so it doesn't have to be specific to event logs, I'm just using this as a concrete example.


      For example, here's a record:


      "EventID"    "MachineName"    "Data"    "Index"    "Category"    "CategoryNumber"    "EntryType"    "Message"    "Source"    "ReplacementStrings"    "InstanceId"    "TimeGenerated"    "TimeWritten"    "UserName"    "Site"    "Container"
      "4672"    "WHMM35836"    "System.Byte[]"    "73543"    "(12548)"    "12548"    "SuccessAudit"    "Special privileges assigned to new logon.
          Security ID:        S-1-5-21-603681073-1316226-1767722702-1003
          Account Name:        BladeLogicRSCD
          Account Domain:        WHMM35836
          Logon ID:        0x2662a6ed
      Privileges:        SeSecurityPrivilege
                  SeImpersonatePrivilege"    "Microsoft-Windows-Security-Auditing"    "System.String[]"    "4672"    "1/7/2015 4:18:25 PM"    "1/7/2015 4:18:25 PM"

      This comes from the output of a powershell command and is tab-delimited, with double-quotes as string qualifiers. How can I write a grammar that will parse this record into a single one, keeping the multi-line Message field intact?