Looking for pointers in the right direction on what to use - scan/regexpx/Stream Profiles

=joe.dirt@company the next field begins after a comma. The request is that I determine the entity - company and loadbalancer and persist all users from the same entity to a particular pool.

I researched a few ways this could be accomplished using either scan, regexp and stream profile... the stream profile seems to want to find the source string and replace it which is not what I want to do.

any help in the right direction would be appreciated....

can someone advise if this is the right logic, forgive the coding syntax:

when CLIENT_ACCEPTED { log local0. "Entity ID parsing irule - collecting tcp payload" TCP::collect 400 } when CLIENT_DATA { set clientip [IP::client_addr] log local0. "TCP payload collected for $cl

when CLIENT_ACCEPTED {
     log local0. "Entity ID parsing irule - collecting tcp payload"
     TCP::collect 400
}
when CLIENT_DATA {
   set clientip [IP::client_addr]
   log local0. "TCP payload collected for $cl
   switch -glob [TCP::payload]  {
   "UserID" 
      set entity_id [findstr [TCP::payload] UserID ,]
}
     persist uie $entity_id 1800
 }
}

So the UserID is the first piece of data in the TCP payload (this is obviously not HTTP then)? Is this value in every TCP session (after the handshake)? If yes to both, then perhaps start with this:

when CLIENT_ACCEPTED {
    TCP::collect 400
}
when CLIENT_DATA {
    if { [TCP::payload] starts_with "UserID" } {
        set company [lindex [split [findstr [TCP::payload] "UserID" 6 ","] "@"] 1]
        if { $company ne "" } {
            switch $company {
                "company" { pool company_pool }
                "house" { pool house_pool }
                "car" {pool car_pool }
                default { pool default_pool }
            }
        } 
    }
    TCP::release
}

The syntax of the findstr command is basically this:

findstr [data] [string] [skip] [eol]

where [data] is the data you're looking through, [string] is the string in the data you're looking for, [skip] is the number of characters you want to skip after the index of the matching string, and [eol] is a string that terminates the collection. So for example, your data looks like this:

UserID=jeff.g@company,Passworddfsdfsdfdf

So to get the value after between the @ character and the comma, your findstr would look something like this:

[findstr [TCP::payload] "@" 1 ","]

where [TCP::payload] is the data to look through, the "@" character is what you're looking for, 1 is the number of characters to skip after the index of the matching string (in this case just one character "@"), and "," is where to stop collecting. Here's another example to help set it in stone.

set data "cn=bob.smith,ou=users,dc=domain,dc=com"

set user [findstr $data "cn=" 3 ","]

The user variable now equals "bob.smith".