$re = '/(?P<date>\S{3}\s\d{1,3}\s\d{2}\:\d{2}\:\d{2})\s(?P<device>\S+)\s\S\=(?P<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:\s\S\=\"(?P<user>.*?)\"\s\S\=\d+\s\S\=\S\s\S\=\d+\s\S\=\d+\s\S+\=\d\s\S{1,3}\=.*?type=\".*?\"\s.*?meth=(?P<type>\S+)\s\S+\=\"(?P<url>.*?)\"\s\S{2}\=\"(?P<agent>.*?)\"\s\S{1,3}\=\"(?P<url2>.*?)dom\=\"(?P<domain>.*?)\".*?target_ip\=\"(?P<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\".*/';
$str = 'Oct 18 06:27:03 WS2000.wnins.com h=172.16.20.74: u="WNINS\\\\rehetzel" s=200 X=+ t=1445149621 T=44767 Ts=0 act=1 cat="0x2200000008" app="-" rsn=- threat="-" type="image/jpeg" ctype="image/jpeg" sav-ev=- sav-dv=- uri-dv=- cache=- in=471 out=990 meth=GET ref="http://www.techrepublic.com/blog/the-enterprise-cloud/how-do-i-assign-permissions-to-users-to-see-sql-agent-jobs/" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36" req="GET http://d.pzkysq.pink/5ET3nslK.jpg?z=715211411411 HTTP/1.1" dom="pzkysq.pink" filetype="-" rule="0" filesize=518 axtime=0.000455 fttime=0.000043 scantime=- src_cat="0x2000000008" labs_cat="0x2000000008" dcat_prox="-" target_ip="204.93.43.48" labs_rule_id="0" reqtime=0.000 adtime=0.000000 ftbypass=- os=Windows authn=17 auth_by=ntlm dnstime=0.000009 quotatime=-';
$subst = "";
$result = preg_replace($re, $subst, $str, 1);
echo "The result of the substitution is ".$result;
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php