https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-multiple-values-between-tags/m-p/532363#M150386 <P>The event contains a 'before' and 'after' list of permissions and users SIDs, I can get splunk to extract the entire 'before' list and the entire 'after' list but only as single events.</P><P>but i need to break it down to list&nbsp; to indivudal Permission and SID</P><P>&nbsp;</P><P>This it the entire event:</P><P><SPAN class="t">2020-12-07</SPAN> <SPAN class="t">22:45:51.123</SPAN> <SPAN class="t">91046</SPAN> <SPAN class="t">SUCCESS</SPAN>&nbsp;Domain\User&nbsp;<SPAN class="t">Archive</SPAN> <SPAN class="t">Permissions</SPAN> <SPAN class="t">Archive</SPAN> <SPAN class="t">133481FD9531D0347BBCE92FFF45B4FE11110000evaultcol</SPAN><SPAN> &lt;</SPAN><SPAN class="t">Archive</SPAN> <SPAN class="t">ArchiveID=</SPAN><SPAN>"</SPAN><SPAN class="t">133481FD9531D0347vaultcol</SPAN><SPAN>" </SPAN><SPAN class="t">ArchiveName=</SPAN><SPAN>"</SPAN><SPAN class="t">Last</SPAN><SPAN>, </SPAN><SPAN class="t">First</SPAN><SPAN>"&gt;&lt;</SPAN><SPAN class="t">OldManualSD</SPAN><SPAN>&gt;</SPAN><SPAN class="t"><span class="lia-unicode-emoji" title=":anguished_face:">😧</span></SPAN><SPAN>(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCDCLCSWRPWPDT</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-10875</SPAN><SPAN>)(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCSW</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-2406856</SPAN><SPAN>)(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCSW</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-2406857</SPAN><SPAN>)</SPAN><SPAN>&lt;</SPAN><SPAN class="t">/OldManualSD</SPAN><SPAN>&gt;&lt;</SPAN><SPAN class="t">NewManualSD</SPAN><SPAN>&gt;</SPAN><SPAN class="t"><span class="lia-unicode-emoji" title=":anguished_face:">😧</span><SPAN>(</SPAN>A<SPAN>;;</SPAN>CCDCLCSWRPWPDT<SPAN>;;;</SPAN>S-1-5-21-299502267-1960408961-839522115-10875<SPAN>)(</SPAN>A<SPAN>;;</SPAN>CCSW<SPAN>;;;</SPAN>S-1-5-21-299502267-1960408961-839522115-2406856<SPAN>)(</SPAN>A<SPAN>;;</SPAN>CCSW<SPAN>;;;</SPAN>S-1-5-21-299502267-1960408961-839522115-2406857<SPAN>)</SPAN></SPAN><SPAN>(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCDCSWRPDT</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-3949157</SPAN><SPAN>)&lt;</SPAN><SPAN class="t">/NewManualSD</SPAN><SPAN>&gt;&lt;</SPAN><SPAN class="t">/Archive</SPAN><SPAN>&gt; ServerName</SPAN></P><P><SPAN class="t">The 'before' list is between the&nbsp;<SPAN>&lt;</SPAN>OldManualSD<SPAN>&gt; and&nbsp;&lt;\OldManualSD&gt; tags, the 'after' list is between the&nbsp;&lt;NewManualSD&gt; and&nbsp;&lt;/NewManualSD&gt; tags</SPAN></SPAN></P><P><SPAN class="t"><SPAN>The Permissions field is between the ;; and ;;; delimiters and is followed by the SID. There is a varying number of permsissons/SIDs in each event</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="t"><SPAN>Can get part way there; ex_OldManual_GP and ex_NewManual_GP fields extract from the "Info" field and the contain the before and after, but trying to get a second extraction based off&nbsp;ex_OldManual_GP and ex_NewManual_GP always fails&nbsp;</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="t"><SPAN>from the event above, I would like:</SPAN></SPAN></P><P><SPAN class="t"><SPAN>OldManual = A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10475<BR /></SPAN></SPAN><SPAN class="t"><SPAN>OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456<BR />OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457</SPAN></SPAN></P><P><SPAN class="t"><SPAN>NewManual =&nbsp;</SPAN></SPAN><SPAN class="t"><SPAN>A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10875<BR /></SPAN></SPAN><SPAN class="t"><SPAN>NewManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456<BR /></SPAN><SPAN><SPAN>NewManual =&nbsp;</SPAN>A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457<BR /></SPAN></SPAN><SPAN class="t"><SPAN>NewManua l= A;;CCDCSWRPDT;;;S-1-5-21-299502367-1960408961-839522117-3949147</SPAN></SPAN></P><P>Any ideas?</P><P>&nbsp;</P><P><SPAN class="t"><SPAN>my transforms.conf file:</SPAN></SPAN></P><P>[ex_fields_extract]<BR />FIELDS = "AuditDate","AuditID","Status","UserName","CategoryName","SubCategoryName","ObjectID","Vault","info","MachineName"<BR />DELIMS = "\t"</P><P>[ex_OldManual_GP]<BR />SOURCE_KEY = info<BR />REGEX=\&gt;(&lt;OldManualSD&gt;D:)((?P&lt;OldManual_GP&gt;.*))(&lt;\/OldManualSD&gt;)</P><P>[ex_NewManual_GP]<BR />SOURCE_KEY = info<BR />REGEX=\&gt;(&lt;NewManualSD&gt;D:)((?P&lt;NewManual_GP&gt;.*))(&lt;\/NewManualSD&gt;)</P><P>[ex_OldManual_MV]<BR />SOURCE_KEY = OldManual_GP<BR />REGEX=;;(?P&lt;perm&gt;\w+);;;*<BR />MV_ADD=true</P><P>[ex_NewManual_MV]<BR />SOURCE_KEY = NewManual_GP<BR />REGEX=(?&lt;NewManual&gt;[^,]+),*<BR />MV_ADD=true</P><P>&nbsp;</P><P>my props.conf file</P><P>[exlogs]<BR />REPORT-ex_fields = ex_fields_extract<BR />REPORT-mvalue = ex_OldManual_MV, ex_NewManual_MV, ex_NewManual_GP, ex_OldManual_GP<BR />SHOULD_LINEMERGE = false</P><P>&nbsp;</P> Tue, 08 Dec 2020 17:41:07 GMT capilarity 2020-12-08T17:41:07Z https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-multiple-values-between-tags/m-p/532363#M150386 <P>The event contains a 'before' and 'after' list of permissions and users SIDs, I can get splunk to extract the entire 'before' list and the entire 'after' list but only as single events.</P><P>but i need to break it down to list&nbsp; to indivudal Permission and SID</P><P>&nbsp;</P><P>This it the entire event:</P><P><SPAN class="t">2020-12-07</SPAN> <SPAN class="t">22:45:51.123</SPAN> <SPAN class="t">91046</SPAN> <SPAN class="t">SUCCESS</SPAN>&nbsp;Domain\User&nbsp;<SPAN class="t">Archive</SPAN> <SPAN class="t">Permissions</SPAN> <SPAN class="t">Archive</SPAN> <SPAN class="t">133481FD9531D0347BBCE92FFF45B4FE11110000evaultcol</SPAN><SPAN> &lt;</SPAN><SPAN class="t">Archive</SPAN> <SPAN class="t">ArchiveID=</SPAN><SPAN>"</SPAN><SPAN class="t">133481FD9531D0347vaultcol</SPAN><SPAN>" </SPAN><SPAN class="t">ArchiveName=</SPAN><SPAN>"</SPAN><SPAN class="t">Last</SPAN><SPAN>, </SPAN><SPAN class="t">First</SPAN><SPAN>"&gt;&lt;</SPAN><SPAN class="t">OldManualSD</SPAN><SPAN>&gt;</SPAN><SPAN class="t"><span class="lia-unicode-emoji" title=":anguished_face:">😧</span></SPAN><SPAN>(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCDCLCSWRPWPDT</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-10875</SPAN><SPAN>)(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCSW</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-2406856</SPAN><SPAN>)(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCSW</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-2406857</SPAN><SPAN>)</SPAN><SPAN>&lt;</SPAN><SPAN class="t">/OldManualSD</SPAN><SPAN>&gt;&lt;</SPAN><SPAN class="t">NewManualSD</SPAN><SPAN>&gt;</SPAN><SPAN class="t"><span class="lia-unicode-emoji" title=":anguished_face:">😧</span><SPAN>(</SPAN>A<SPAN>;;</SPAN>CCDCLCSWRPWPDT<SPAN>;;;</SPAN>S-1-5-21-299502267-1960408961-839522115-10875<SPAN>)(</SPAN>A<SPAN>;;</SPAN>CCSW<SPAN>;;;</SPAN>S-1-5-21-299502267-1960408961-839522115-2406856<SPAN>)(</SPAN>A<SPAN>;;</SPAN>CCSW<SPAN>;;;</SPAN>S-1-5-21-299502267-1960408961-839522115-2406857<SPAN>)</SPAN></SPAN><SPAN>(</SPAN><SPAN class="t">A</SPAN><SPAN>;;</SPAN><SPAN class="t">CCDCSWRPDT</SPAN><SPAN>;;;</SPAN><SPAN class="t">S-1-5-21-299502267-1960408961-839522115-3949157</SPAN><SPAN>)&lt;</SPAN><SPAN class="t">/NewManualSD</SPAN><SPAN>&gt;&lt;</SPAN><SPAN class="t">/Archive</SPAN><SPAN>&gt; ServerName</SPAN></P><P><SPAN class="t">The 'before' list is between the&nbsp;<SPAN>&lt;</SPAN>OldManualSD<SPAN>&gt; and&nbsp;&lt;\OldManualSD&gt; tags, the 'after' list is between the&nbsp;&lt;NewManualSD&gt; and&nbsp;&lt;/NewManualSD&gt; tags</SPAN></SPAN></P><P><SPAN class="t"><SPAN>The Permissions field is between the ;; and ;;; delimiters and is followed by the SID. There is a varying number of permsissons/SIDs in each event</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="t"><SPAN>Can get part way there; ex_OldManual_GP and ex_NewManual_GP fields extract from the "Info" field and the contain the before and after, but trying to get a second extraction based off&nbsp;ex_OldManual_GP and ex_NewManual_GP always fails&nbsp;</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="t"><SPAN>from the event above, I would like:</SPAN></SPAN></P><P><SPAN class="t"><SPAN>OldManual = A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10475<BR /></SPAN></SPAN><SPAN class="t"><SPAN>OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456<BR />OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457</SPAN></SPAN></P><P><SPAN class="t"><SPAN>NewManual =&nbsp;</SPAN></SPAN><SPAN class="t"><SPAN>A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10875<BR /></SPAN></SPAN><SPAN class="t"><SPAN>NewManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456<BR /></SPAN><SPAN><SPAN>NewManual =&nbsp;</SPAN>A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457<BR /></SPAN></SPAN><SPAN class="t"><SPAN>NewManua l= A;;CCDCSWRPDT;;;S-1-5-21-299502367-1960408961-839522117-3949147</SPAN></SPAN></P><P>Any ideas?</P><P>&nbsp;</P><P><SPAN class="t"><SPAN>my transforms.conf file:</SPAN></SPAN></P><P>[ex_fields_extract]<BR />FIELDS = "AuditDate","AuditID","Status","UserName","CategoryName","SubCategoryName","ObjectID","Vault","info","MachineName"<BR />DELIMS = "\t"</P><P>[ex_OldManual_GP]<BR />SOURCE_KEY = info<BR />REGEX=\&gt;(&lt;OldManualSD&gt;D:)((?P&lt;OldManual_GP&gt;.*))(&lt;\/OldManualSD&gt;)</P><P>[ex_NewManual_GP]<BR />SOURCE_KEY = info<BR />REGEX=\&gt;(&lt;NewManualSD&gt;D:)((?P&lt;NewManual_GP&gt;.*))(&lt;\/NewManualSD&gt;)</P><P>[ex_OldManual_MV]<BR />SOURCE_KEY = OldManual_GP<BR />REGEX=;;(?P&lt;perm&gt;\w+);;;*<BR />MV_ADD=true</P><P>[ex_NewManual_MV]<BR />SOURCE_KEY = NewManual_GP<BR />REGEX=(?&lt;NewManual&gt;[^,]+),*<BR />MV_ADD=true</P><P>&nbsp;</P><P>my props.conf file</P><P>[exlogs]<BR />REPORT-ex_fields = ex_fields_extract<BR />REPORT-mvalue = ex_OldManual_MV, ex_NewManual_MV, ex_NewManual_GP, ex_OldManual_GP<BR />SHOULD_LINEMERGE = false</P><P>&nbsp;</P> Tue, 08 Dec 2020 17:41:07 GMT https://community.splunk.com/t5/Splunk-Search/Using-regex-to-extract-multiple-values-between-tags/m-p/532363#M150386 capilarity 2020-12-08T17:41:07Z