Input line:
Thu 2017-03-30 00:00:07: user@domain.com (John Doe) checked mail from 127.0.0.1 using IMAP, 0 msgs collected, 21 remaining
Powershell script:
$rxp = "([a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)|(d{1,3}.d{1,3}.d{1,3}.d{1,3})|(POP|IMAP)|(^[A-Z][a-z]+sd{4}-d{2}-d{2}sd{2}:d{2}:d{2})" gc ".*.log" | select-string -pattern $rxp -allmatches | foreach { if ($_.Matches.count -ne 4) { return } [pscustomobject]@{ 'date'=$_.Matches[0] 'email'=$_.Matches[1] 'ipaddr'=$_.Matches[2] 'proto'=$_.Matches[3] } } | export-csv -notype analysis.csv