Select the contents of the key-values fields from the string

Hi! There is a log with such records: Dec 17 10:08:38 10.52.137.1 Apr 3 22:46:57 2012 930-RTR-944 %%10SSH/6/SSH_LOGIN(l): -DevIP=10.52.137.1; STEL user monitor (IP: 192.168.181.94) logged in successfully. Dec 17 10:08:38 10.52.137.1 Apr 3 22:46:57 2012 930-RTR-944 %%10SC/6/SC_AAA_SUCCESS(l): -DevIP=10.52.137.1-AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=monitor@system; AAA is successful. Dec 17 10:08:38 10.52.137.1 Apr 3 22:46:57 2012 930-RTR-944 %%10SC/6/SC_AAA_SUCCESS(l): -DevIP=10.52.137.1-AAAType=AUTHEN-AAAScheme= hwtacacs-scheme tacacs-Service=login-UserName=monitor@system; AAA is successful. Dec 17 10:08:13 10.98.171.65 Jan 20 00:00:17 2011 MSR954-RTR-LTE-5686 %%10CELLULAR/5/CELLULAR: -DevIP=10.98.171.65; Controller Cellular1/0: The network connection switched to 3G. Dec 17 10:08:04 10.199.69.26 May 23 21:50:30 2012 930-RTR-14815 %%10SSH/4/TrapLogoff(t): 1.3.6.1.4.1.25506.2.22.1.3.0.4 SSH user logoff trap information It is necessary to parse the fields between the characters "-" and ";". For example: -DevIP = 10.52.137.1; -DevIP = 10.52.137.1-AAAType = ACCOUNT-AAAScheme = local-Service = login-UserName = monitor@system; -DevIP = 10.52.137.1-AAAType = AUTHEN-AAAScheme = hwtacacs-scheme tacacs-Service = login-UserName = monitor@system; The difficulty is that the symbol "-" is used as a separator between key-value pairs, which is also present in the value: "AAAScheme = hwtacacs-scheme tacacs". I used EVAL to replace "-" with "|": EVAL-cmd_params_src = replace (cmd_params_src, "- (\ p {Lu})", "| \ 1") And I see: cmd_params_src = "DevIP = 10.52.137.1 | AAAType = AUTHEN | AAAScheme = hwtacacs-scheme tacacs | Service = login | UserName = monitor @ system" But fields are not translated to key value. props.conf [hp_routers] EVAL-vendor = "HP" KV_MODE = none REPORT-fields_general = extract_hp_route_general REPORT-fields_cmd_parameters = extract_hp_route_cmd_parameters REPORT-fields_cmd_message = extract_hp_route_cmd_message EVAL-cmd_params_src = replace(cmd_params_src, "-(\p{Lu})", "|\1") REPORT-field_params = extracet_field_from_params transforms.conf [extract_hp_route_general] REGEX = ^(?P\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P[^ ]+)\s+(?P\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)[^ \n]* (?P[^ ]+)[^ \n]* \%\%10(?\w+)\/$ [extract_hp_route_cmd_parameters] REGEX = (?:\s-)(?.+)(?:;) disabled = 0 [extract_hp_route_cmd_message] REGEX = (?:;\s+)(?.+)$ [extracet_field_from_params] REGEX = (\w+)=(\s?[.\-\s@\w]+) FORMAT = $1::$2 SOURCE_KEY = cmd_params_src #DELIMS = "|", "=" REPEAT_MATCH = True CLEAN_KEYS = 1 What am I doing wrong, how to fix the situation? regards Michael