https://community.splunk.com/t5/Dashboards-Visualizations/Gather-fields-from-regExp-and-XML-and-doing-an-bool-Check-for-a/m-p/243559#M15121 <P>Is this where I use RegularExpression or Xml Tag Extract?<BR /> I am trying to create a search that shows when this value is 1 or zero on issuepolicy and gather the GUID in UI Event.<BR /> ideally an report that shows the GUID UIEvent and 0 or 1 from issuepolicy.</P> <P>my RegEx works... Just not in splunk or with extracting the field <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> <PRE><CODE>(?&lt;=UIEvent \[)([^\]]*) </CODE></PRE> <P>and when I tried to extract the xml nothing seemed to notice the pipe<BR /> [search index=mainSvr customers | xmlkv issueNews ]</P> <PRE><CODE>03/09/2016 08:16:51 AM LogName=Application ... 8 lines omitted ... Keywords=Classic Message=2016-03-09 08:16:51,752 [7] INFO UIEvent [26fsvas-0316-4500-a9ca-f90d8c961f59] [(null)] [(null)] [(null)] - omghicom14thiswhoa /Response "&lt;?xml version=\"1.0\" encoding=\"utf-8\"?&gt;&lt;apiResponse&gt;&lt;notices /&gt;&lt;trainRide sessionID=\"31E90C35:1CF37F31:7A35FE:02EE4AD521B4:48E12:914CB7768\"&gt;&lt;notices /&gt;&lt;issueNews status=\"success\" historyID=\"27865\" issuepolicy=\"1\"&gt;&lt;notices /&gt;&lt;/issueNews&gt;&lt;/trainRide&gt;&lt;/apiResponse&gt;" </CODE></PRE> <P>So I am confused can I do this without having access to my server that splunk lives on ? I see some recommend to chang the conf file to allow XML to be automatically parsed.</P> Wed, 09 Mar 2016 13:42:52 GMT geicosean 2016-03-09T13:42:52Z https://community.splunk.com/t5/Dashboards-Visualizations/Gather-fields-from-regExp-and-XML-and-doing-an-bool-Check-for-a/m-p/243559#M15121 <P>Is this where I use RegularExpression or Xml Tag Extract?<BR /> I am trying to create a search that shows when this value is 1 or zero on issuepolicy and gather the GUID in UI Event.<BR /> ideally an report that shows the GUID UIEvent and 0 or 1 from issuepolicy.</P> <P>my RegEx works... Just not in splunk or with extracting the field <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> <PRE><CODE>(?&lt;=UIEvent \[)([^\]]*) </CODE></PRE> <P>and when I tried to extract the xml nothing seemed to notice the pipe<BR /> [search index=mainSvr customers | xmlkv issueNews ]</P> <PRE><CODE>03/09/2016 08:16:51 AM LogName=Application ... 8 lines omitted ... Keywords=Classic Message=2016-03-09 08:16:51,752 [7] INFO UIEvent [26fsvas-0316-4500-a9ca-f90d8c961f59] [(null)] [(null)] [(null)] - omghicom14thiswhoa /Response "&lt;?xml version=\"1.0\" encoding=\"utf-8\"?&gt;&lt;apiResponse&gt;&lt;notices /&gt;&lt;trainRide sessionID=\"31E90C35:1CF37F31:7A35FE:02EE4AD521B4:48E12:914CB7768\"&gt;&lt;notices /&gt;&lt;issueNews status=\"success\" historyID=\"27865\" issuepolicy=\"1\"&gt;&lt;notices /&gt;&lt;/issueNews&gt;&lt;/trainRide&gt;&lt;/apiResponse&gt;" </CODE></PRE> <P>So I am confused can I do this without having access to my server that splunk lives on ? I see some recommend to chang the conf file to allow XML to be automatically parsed.</P> Wed, 09 Mar 2016 13:42:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Gather-fields-from-regExp-and-XML-and-doing-an-bool-Check-for-a/m-p/243559#M15121 geicosean 2016-03-09T13:42:52Z https://community.splunk.com/t5/Dashboards-Visualizations/Gather-fields-from-regExp-and-XML-and-doing-an-bool-Check-for-a/m-p/243560#M15122 <P>Your regex doesn't include a field extraction. Try this:</P> <PRE><CODE>index=mainSvr customers | xmlkv issueNews | rex "(?&lt;=UIEvent \[)(?&lt;GUID&gt;[^\]]*).*?issuepolicy=\\\"(?&lt;issuepolicy&gt;\d)" | ... </CODE></PRE> Wed, 09 Mar 2016 17:42:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Gather-fields-from-regExp-and-XML-and-doing-an-bool-Check-for-a/m-p/243560#M15122 richgalloway 2016-03-09T17:42:21Z