https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502250#M139795 <P>I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed. <BR /> To extract the statement field in the event, I am using the below regular expression </P> <P>| rex field=_raw "statement:(?[\d\D]*[\n\s])additional"</P> <P>which extracts the data till additional_information field. But there are extra spaces which are getting included while extracting like this</P> <P><STRONG>quote</STRONG></P> <P>EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)</P> <P><STRONG>unquote</STRONG></P> <P>The extra spaces is not getting removed. Could you please help on this to write regex?</P> <P>Sample event.</P> <P>database_name:test<BR /> schema_name:dbo<BR /> object_name:Table_2<BR /> statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)</P> <P>additional_information:<BR /> user_defined_information:<BR /> application_name:EUPTTOPDBS004\SQLNAV-test-test2-4</P> Wed, 30 Sep 2020 04:44:39 GMT gndivya 2020-09-30T04:44:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502250#M139795 <P>I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed. <BR /> To extract the statement field in the event, I am using the below regular expression </P> <P>| rex field=_raw "statement:(?[\d\D]*[\n\s])additional"</P> <P>which extracts the data till additional_information field. But there are extra spaces which are getting included while extracting like this</P> <P><STRONG>quote</STRONG></P> <P>EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)</P> <P><STRONG>unquote</STRONG></P> <P>The extra spaces is not getting removed. Could you please help on this to write regex?</P> <P>Sample event.</P> <P>database_name:test<BR /> schema_name:dbo<BR /> object_name:Table_2<BR /> statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)</P> <P>additional_information:<BR /> user_defined_information:<BR /> application_name:EUPTTOPDBS004\SQLNAV-test-test2-4</P> Wed, 30 Sep 2020 04:44:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502250#M139795 gndivya 2020-09-30T04:44:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502251#M139796 <P>Hi</P> <P>Check this</P> <PRE><CODE>| makeresults | eval log="database_name:test schema_name:dbo object_name:Table_2 statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0) additional_information: user_defined_information: application_name:EUPTTOPDBS004\SQLNAV-test-test2-4" |rex field=log "statement:(?P&lt;statement&gt;[^\n]+)" </CODE></PRE> Fri, 20 Mar 2020 07:49:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502251#M139796 vnravikumar 2020-03-20T07:49:33Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502252#M139797 <PRE><CODE>| rex "(?m)statement:(?&lt;statement&gt;.*$)" </CODE></PRE> <P>try <CODE>(?m)</CODE> option. OR</P> <PRE><CODE>| rex "statement:(?&lt;statement&gt;.*+)" </CODE></PRE> Fri, 20 Mar 2020 09:50:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502252#M139797 to4kawa 2020-03-20T09:50:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502253#M139798 <P>@to4kawa this worked when in a normal search query, I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?<BR /> I want to know, what does that (?m) means at the beginning of the regex string. If possible, kindly let me know what document you refer to while creating regular expression.</P> Fri, 20 Mar 2020 14:44:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502253#M139798 gndivya 2020-03-20T14:44:00Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502254#M139799 <P>@vnravikumar , This is working when used in a normal query, but I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?</P> Fri, 20 Mar 2020 14:45:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502254#M139799 gndivya 2020-03-20T14:45:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502255#M139800 <P>Like this:</P> <PRE><CODE>... | rex "statement\:(?&lt;statement&gt;.*)[\r\n\s]+additional" </CODE></PRE> Fri, 20 Mar 2020 15:58:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502255#M139800 woodcock 2020-03-20T15:58:11Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502256#M139801 <P><CODE>(?m)</CODE></P> <P><A href="https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php">https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php</A></P> <P>Settings:</P> <P>Fields » Field extractions » Add new</P> <UL> <LI>Destination app <CODE>search</CODE>(default)</LI> <LI>Name <CODE>statement_extraction</CODE></LI> <LI>Apply to <CODE>sourcetype</CODE></LI> <LI>named <CODE>your sourcetype</CODE></LI> <LI>Type <CODE>Inline</CODE></LI> <LI>Extraction/Transform <CODE>statement:(?&lt;statement&gt;.*+)</CODE></LI> </UL> Fri, 20 Mar 2020 20:55:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502256#M139801 to4kawa 2020-03-20T20:55:57Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502257#M139802 <P>There is a fairly unknown gem which is your best friend in these scenarios, "erex".</P> <P>Easiest to quote examples directly from the documentation, but it works like a champ.<BR /> ... | erex monthday examples="7/01, 07/02" counterexamples="99/2"</P> <P>Use "examples" to include samples of what you are searching for, and "counterexamples" to exclude.<BR /> Append one or both to your existing search, then view the Job Inspector. It'll give you the correct regex syntax to find what you are looking for. It is extremely useful!</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Erex">https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Erex</A></P> Sat, 21 Mar 2020 00:34:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502257#M139802 codebuilder 2020-03-21T00:34:30Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502258#M139803 <P>When I use this, I am getting all the data after "statement" like additional_information, user_defined_information, all other things. Please let me know what else can be done to get only the required information</P> Wed, 30 Sep 2020 04:40:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502258#M139803 gndivya 2020-09-30T04:40:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502259#M139804 <P>your log is something wrong.<BR /> check props.conf and LINE_BREAKER</P> Mon, 23 Mar 2020 08:56:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data-from-windows-event/m-p/502259#M139804 to4kawa 2020-03-23T08:56:05Z