</when><when test="$_evtId = '111009'"><!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config --><collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex></collectAndSetAttrByRegex></when>
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'"><!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:22.214.171.124 (type 11, code 0) on inside interface. Original IP payload: tcp src 126.96.36.199/80 dst 172.16.200.159/37616. --><collectFieldsByRegex src="$_body"><regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex></collectFieldsByRegex></when>
This is a bit tough when the vendor's log is putting two different types of data into the same field. What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other. For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+". "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+ (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser. I would then just have two CollectFieldsbyRegex statements to catch each condition.Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.