topic Re: Can you help me with the following regex? in Splunk Search

Can you help me with the following regex?

jip31 — Sat, 24 Nov 2018 06:27:35 GMT

Hello

I want to add a rex field in my search

index="ai-wkst-wineventlog-fr" sourcetype="XmlWinEventLog" source="XmlWinEventLog:Application" (Level=1 OR Level=3) Name="'*'"

I want to extract the text which is included before "ProgID" and after "" and also the text which is after "ProgID"

Outlook a désactivé le ou les compléments suivants :
ProgID : WebExOI.Addin

Could you help me please??

Re: Can you help me with the following regex?

burwell — Sat, 24 Nov 2018 07:05:55 GMT

Hi. Can you provide log samples?

Re: Can you help me with the following regex?

jip31 — Sat, 24 Nov 2018 07:19:50 GMT

hi
Outlook a désactivé le ou les compléments suivants :
ProgID : ColleagueImport.ColleagueImportAddin
GUID : {EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120}
Nom : Microsoft SharePoint Server Colleague Import Add-in

Re: Can you help me with the following regex?

FrankVl — Sat, 24 Nov 2018 12:33:11 GMT

Try this: (?<text1>[^\r\n:]+)\s:\s*ProgID\s:\s(?<text2>[^\r\n]+)
https://regex101.com/r/fRXqTf/1

Re: Can you help me with the following regex?

wagnerlucena — Sat, 24 Nov 2018 13:03:55 GMT

Hi. Please, try this one (.?[\r\n]){1}+(.?[\r\n]){1}

I`ve tested on regex101.com and it looks like exactly that you are looking for.

Re: Can you help me with the following regex?

woodcock — Sat, 24 Nov 2018 18:38:05 GMT

Like this:

(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)

See here:
https://regex101.com/r/QdSDvV/1

Re: Can you help me with the following regex?

jip31 — Tue, 29 Sep 2020 22:11:50 GMT

Hello all and many thanks
I want to add this regex in my query
what is the good syntax please?
| rex field=EventData_Xml "(?ms)^(?.?)\s:[\r\n\s]+ProgID\s+:\s+(?[^\r\n]+)f" | table message ProgID
| rex field=EventData_Xml "(?[^\r\n:]+)\s:\s*ProgID\s:\s(?[^\r\n]+)3 | table text1 text2
?????

Re: Can you help me with the following regex?

jip31 — Sun, 25 Nov 2018 16:48:38 GMT

I have no result Wen i do this
| rex field=EventData_Xml "(?ms)^(?.?)\s:[\r\n\s]+ProgID\s+:\s+(?[^\r\n]+)f "| table message ProgID

Re: Can you help me with the following regex?

jip31 — Tue, 29 Sep 2020 22:11:19 GMT

hello I dont succeed to used it does it something like this :???

rex field=EventData_Xml "(?[^\r\n:]+)\s:\s*ProgID\s:\s(?[^\r\n]+)" | table EventData_Xml

Re: Can you help me with the following regex?

FrankVl — Mon, 26 Nov 2018 08:42:02 GMT

Can you please make sure to post any code between `? Or format it as a code snippet using the 101010 button in the editor toolbar? Now special characters like <> disappear.

It should be something like:

| rex field=EventData_Xml "(?<message>[^\r\n:]+)\s:\s*ProgID\s:\s(?<ProgID>[^\r\n]+)" | table message ProgID

If that isn't working, then I'd like to see a screenshot, or more extensive piece of sample data.

Re: Can you help me with the following regex?

jip31 — Mon, 26 Nov 2018 09:28:36 GMT

sorry franck no it doesnt works
you can see the code here
https://cjoint.com/c/HKAjr4hOctc

Re: Can you help me with the following regex?

FrankVl — Mon, 26 Nov 2018 10:16:27 GMT

Can you:
- show a screenshot that clearly shows the EventData_Xml field exists and what it look like (feel free to mask any sensitive data)
- test the search in a simple way (so without all the rest of your query), just get the data and apply the rex command.

Re: Can you help me with the following regex?

jip31 — Mon, 26 Nov 2018 11:15:47 GMT

Here is the screenshot

https://cjoint.com/c/HKAlomr50Rc
no results also in simple way

Re: Can you help me with the following regex?

FrankVl — Mon, 26 Nov 2018 12:41:30 GMT

Works fine for me: https://imgur.com/a/ew8Io7c

Can you share a screenshot of the search giving no results?

Re: Can you help me with the following regex?

efavreau — Mon, 26 Nov 2018 14:32:46 GMT

This looks like a different question to be asked.

Re: Can you help me with the following regex?

woodcock — Mon, 26 Nov 2018 16:11:22 GMT

I had an extra trailing f character (now deleted). Try this:

Your Search Here:
| rex field=EventData_Xml "(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)"| table message ProgID

Re: Can you help me with the following regex?

woodcock — Mon, 26 Nov 2018 16:13:49 GMT

Did this work @jip31?

Re: Can you help me with the following regex?

mstjohn_splunk — Mon, 26 Nov 2018 21:48:43 GMT

hi @jip31

Did any of the answers below solve your problem? If so, please resolve this post by approving the one that helped you. If your problem is still not solved, keep us updated so that someone else can help. Thanks for posting!

Re: Can you help me with the following regex?

jip31 — Tue, 27 Nov 2018 06:04:29 GMT

yes thanks!