Drill 08: Lookbehind

# Extract MAC address after "Calling-Station-ID="
grep -oP '(?<=Calling-Station-ID=)[0-9A-F:-]+' /var/log/ise-psc.log

# Using \K for longer prefix
grep -oP 'Calling-Station-ID=\K[0-9A-F:-]+' /var/log/ise-psc.log

# Extract username after "UserName="
grep -oP '(?<=UserName=)\S+' /var/log/ise-psc.log

# Extract policy set after "SelectedAccessService="
grep -oP '(?<=SelectedAccessService=)[^,]+' /var/log/ise-psc.log

# Extract VLAN IDs from switchport config
grep -oP '(?<=switchport access vlan )\d+' config.txt

# Extract IP from interface config
grep -oP '(?<=ip address )\d+\.\d+\.\d+\.\d+' config.txt

# Extract hostname from device config
grep -oP '(?<=hostname )\S+' config.txt

# Extract NTP servers
grep -oP '(?<=ntp server )\S+' config.txt

# Extract log level after timestamp
grep -oP '\d{4}-\d{2}-\d{2}T[\d:]+\s+\K\[?\w+\]?' /var/log/app.log

# Extract error code after "ERROR:"
grep -oP '(?<=ERROR: E)\d+' /var/log/app.log

# Extract response time after "took "
grep -oP '(?<=took )\d+(?=ms)' /var/log/app.log

# Extract URL path after method
grep -oP '(?<=(GET|POST|PUT|DELETE) )\S+' /var/log/access.log

# Extract SSH user attempts
grep -oP '(?<=user=)\w+' /var/log/auth.log

# Extract source IPs from failed logins
grep -oP '(?<=from )\d+\.\d+\.\d+\.\d+(?= port)' /var/log/auth.log

# Extract certificate CN
grep -oP '(?<=CN=)[^,/]+' /var/log/ssl.log

# Find secrets NOT preceded by REDACTED marker
grep -P '(?<!\[REDACTED\] )password\s*=' config.txt

# Extract amounts after dollar sign
grep -oP '(?<=\$)\d+(?:\.\d{2})?' ~/receipts/*.txt

# Extract dates after "Date:"
grep -oP '(?<=Date: )\d{4}-\d{2}-\d{2}' ~/documents/*.txt

# Extract email domains
grep -oP '(?<=@)[a-z0-9.-]+\.[a-z]+' ~/contacts.txt

# Extract phone numbers after "Tel:"
grep -oP '(?<=Tel: )[\d-]+' ~/contacts.txt

# Extract task names after checkbox
grep -oP '(?<=\[ \] )[^\n]+' ~/notes/*.md

# Extract tags (after #)
grep -oP '(?<=#)\w+' ~/notes/*.md

# Extract due dates from tasks
grep -oP '(?<=due: )\d{4}-\d{2}-\d{2}' ~/tasks.md

# Extract priority levels after "P"
grep -oP '(?<=\[P)\d(?=\])' ~/tasks.md

# Extract amounts after currency symbols
grep -oP '(?<=[\$\xe2\x82\xac\xc2\xa3])\d+(?:,\d{3})*(?:\.\d{2})?' ~/budget.txt

# Extract vendor names from transactions
grep -oP '(?<=Paid: )[A-Z][a-z]+(?: [A-Z][a-z]+)*' ~/expenses.txt

# Extract interest rates
grep -oP '(?<=APR: )\d+\.\d+(?=%)' ~/accounts.txt

# Extract account numbers (last 4 after "****")
grep -oP '(?<=\*{4})\d{4}' ~/accounts.txt

# Extract event names after time
grep -oP '(?<=\d{2}:\d{2} )[A-Z][^\n]+' ~/calendar.txt

# Extract durations after "Duration:"
grep -oP '(?<=Duration: )\d+(?= hours?)' ~/timesheet.txt

# Extract project names from time entries
grep -oP '(?<=\[)[^\]]+(?=\])' ~/timesheet.txt

# Positive lookbehind
grep -oP '(?<=prefix)pattern' file.txt

# Negative lookbehind
grep -oP '(?<!exclude)pattern' file.txt

# \K alternative (more flexible)
grep -oP 'prefix\Kpattern' file.txt

# Combining with lookahead
grep -oP '(?<=left)middle(?=right)' file.txt

# sed doesn't support lookbehind
# Workaround: Capture and replace

# Extract after prefix:
echo "prefix:value" | sed 's/prefix:\(.*\)/\1/'
# Output: value

# Remove prefix but keep suffix:
echo "prefix:value:suffix" | sed 's/prefix:\([^:]*\):.*/\1/'
# Output: value

# Use with capturing groups:
echo "key=value" | sed -E 's/.*=(.+)/\1/'
# Output: value

# awk doesn't support lookbehind
# Use field splitting instead

# Extract after @
echo "user@domain.com" | awk -F'@' '{print $2}'
# Output: domain.com

# Extract after =
echo "key=value" | awk -F'=' '{print $2}'
# Output: value

# Extract with match()
echo "prefix123suffix" | awk 'match($0, /prefix([0-9]+)/, a) {print a[1]}'
# Output: 123

" Positive lookbehind (vim uses \@<= )
/\(prefix\)\@<=pattern

" Negative lookbehind (vim uses \@<! )
/\(prefix\)\@<!pattern

" Example: Find numbers after $
/\$\@<=\d\+

" Example: Find words NOT after "the "
/\(the \)\@<!\<\w\+\>

" Extract value after = (using substitute)
:%s/.*=\(\w\+\)/\1/

import re

text = "user@example.com price: $99.99"

# Positive lookbehind
domain = re.search(r'(?<=@)[a-z.]+', text)
print(domain.group())  # example.com

# Extract price
price = re.search(r'(?<=\$)\d+\.\d+', text)
print(price.group())  # 99.99

# Negative lookbehind
text2 = "export transport port"
words = re.findall(r'(?<![a-z])port', text2)
print(words)  # ['port'] - only standalone port

# Variable-width lookbehind (Python 3.8+)
# Python's regex module supports variable-width!
# Standard re module still has fixed-width limitation

const text = "user@example.com";

// Positive lookbehind
const domain = text.match(/(?<=@)[a-z.]+/);
console.log(domain[0]);  // example.com

// Negative lookbehind
const text2 = "export transport port";
const words = text2.match(/(?<![a-z])port/g);
console.log(words);  // ['port']

// Note: Lookbehind added in ES2018
// Not supported in older browsers

# FAILS: Quantifiers in lookbehind
grep -oP '(?<=a+)b' <<< "aaab"
# Error: lookbehind assertion is not fixed length

# FAILS: Different-length alternatives
grep -oP '(?<=cat|mouse)s' <<< "cats mouses"
# Error: different-length alternatives

# WORKS: Same-length alternatives
grep -oP '(?<=cat|dog)s' <<< "cats dogs"
# Output: s, s (both 3 characters)

# SOLUTION: Use \K
grep -oP '(cat|mouse)\Ks' <<< "cats mouses"
# Output: s, s

# $ needs escaping (it's a regex anchor)
grep -oP '(?<=\$)\d+' <<< "Price: $100"
# Output: 100

# [ ] need escaping
grep -oP '(?<=\[)INFO(?=\])' <<< "[INFO] Message"
# Output: INFO

# Parentheses need escaping for literal match
grep -oP '(?<=\()value(?=\))' <<< "(value)"
# Output: value

# Lookbehind: Position must FOLLOW the pattern
echo "abcdef" | grep -oP '(?<=abc)...'
# Output: def

# \K: Everything before \K is matched but discarded
echo "abcdef" | grep -oP 'abc\K...'
# Output: def

# Difference with overlapping matches:
echo "aaa" | grep -oP '(?<=a)a'
# Output: a, a (positions 1 and 2)

echo "aaa" | grep -oP 'a\Ka'
# Output: a (only one match - 'aa' consumed)

# Lookbehind doesn't consume characters
echo "abc" | grep -oP '(?<=a)b'
# Output: b (only 'b', not 'ab')

# This matters for replacement:
echo "abc" | sed -E 's/(?<=a)b/X/'  # sed doesn't support lookbehind
# Use capturing group instead:
echo "abc" | sed 's/\(a\)b/\1X/'
# Output: aXc

# Multiple lookbehinds: both must match
echo "123abc456" | grep -oP '(?<=\d)(?<=[0-9]{3})abc'
# First lookbehind: preceded by digit
# Second lookbehind: preceded by 3 digits
# Both check from same position

# More practical: lookbehind + other assertion
echo "abc123def" | grep -oP '(?<=abc)\d+(?=def)'
# Output: 123