use strict;
my $str = 'May 1 08:21:02 192.168.1.1 id=firewall sn=fakeserial time="2020-05-01 12:21:02 UTC" fw=1.2.3.4 pri=3 c=4 m=14 msg="Web site access denied" app=2515 sess="Auto" n=398533 usr="sampledomain\\username" src=192.168.1.150:50334:X0 dst=72.21.81.240:80:X1 srcMac=b0:00:b4:18:4a:b5 dstMac=c0:ea:e4:9d:a0:8c proto=tcp/http dstname=ctldl.windowsupdate.com arg=/gen_204?atyp=i&zx=1588539000507&ogsr=1&ei=dy6vXv6PNbGRggefsqLQBg&ct=7&cad=i&id=19014990&loc=imghp&prid=2&ogd=com code=99 Category="Administrative Custom List settings" fw_action="drop"
May 1 08:21:02 192.168.1.1 id=firewall sn=fakeserial time="2020-05-01 12:21:02 UTC" fw=1.2.3.4 pri=3 c=4 m=14 msg="Web site access denied" app=2515 sess="Auto" n=398533 usr="sampledomain\\username" src=192.168.1.150:50334:X0 dst=72.21.81.240:80:X1 srcMac=b0:00:b4:18:4a:b5 dstMac=c0:ea:e4:9d:a0:8c proto=tcp/http dstname=ctldl.windowsupdate.com arg=/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab code=99 Category="Administrative Custom List settings" fw_action="drop"';
my $regex = qr/(\w{3} \d* [\d:]*).*usr="([a-z\\]*)".*dstname=([\w.]*).*arg=([\/][^ ]*)/mp;
if ( $str =~ /$regex/g ) {
print "Whole match is ${^MATCH} and its start/end positions can be obtained via \$-[0] and \$+[0]\n";
# print "Capture Group 1 is $1 and its start/end positions can be obtained via \$-[1] and \$+[1]\n";
# print "Capture Group 2 is $2 ... and so on\n";
}
# ${^POSTMATCH} and ${^PREMATCH} are also available with the use of '/p'
# Named capture groups can be called via $+{name}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Perl, please visit: http://perldoc.perl.org/perlre.html