topic Regex for extracting a xml node from a xml feild in Splunk Search https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593021#M206418 <P>Hello Expert,</P><P>Please help me arrive on a regex to extract a xml node in a xml field.</P><P>I have a field value like below</P><DIV><DIV>&lt;Reponse&nbsp;status="failure"&gt;<BR />&nbsp;&lt;messages&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;message&nbsp;id="Payload"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;UpdateAccountRq&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;AccountId&gt;123465&lt;/AccountId&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;NewStatus&gt;Active&lt;/NewStatus&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/UpdateAccountRq&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/message&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&lt;/messages&gt;<BR />&lt;/Reponse&gt;</DIV><DIV>&nbsp;</DIV><DIV><SPAN>And I want to extract the below xml node and display it in a separate field.</SPAN></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;<SPAN>&lt;</SPAN><SPAN>UpdateAccountRq</SPAN><SPAN>&gt;</SPAN></DIV><DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</SPAN><SPAN>&lt;</SPAN><SPAN>AccountId</SPAN><SPAN>&gt;</SPAN><SPAN>123465</SPAN><SPAN>&lt;/</SPAN><SPAN>AccountId</SPAN><SPAN>&gt;</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp;</SPAN><SPAN>&lt;</SPAN><SPAN>NewStatus</SPAN><SPAN>&gt;</SPAN><SPAN>Active</SPAN><SPAN>&lt;/NewStatus</SPAN><SPAN>&gt;</SPAN></DIV><DIV><SPAN>&lt;/</SPAN><SPAN>UpdateAccountRq</SPAN><SPAN>&gt;</SPAN></DIV><DIV>&nbsp;</DIV><DIV><DIV><SPAN>I tried many ways, but nothing works.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Attempt 1:&nbsp; rex field=Action "messages&gt;(?&lt;Payload&gt;.+)&lt;\/messages" | table Action, Payload</SPAN></DIV><DIV><SPAN>Attempt 2:&nbsp; rex field=Action "\&lt;message id=\"Payload\"&gt;(?&lt;Payload&gt;[^&lt;\/message]+)" | table Action, Payload</SPAN></DIV><DIV>&nbsp;</DIV><DIV>Please help. Thanks</DIV></DIV></DIV></DIV> Thu, 07 Apr 2022 22:48:46 GMT ssekar 2022-04-07T22:48:46Z Regex for extracting a xml node from a xml feild https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593021#M206418 <P>Hello Expert,</P><P>Please help me arrive on a regex to extract a xml node in a xml field.</P><P>I have a field value like below</P><DIV><DIV>&lt;Reponse&nbsp;status="failure"&gt;<BR />&nbsp;&lt;messages&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;message&nbsp;id="Payload"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;UpdateAccountRq&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;AccountId&gt;123465&lt;/AccountId&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;NewStatus&gt;Active&lt;/NewStatus&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/UpdateAccountRq&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/message&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&lt;/messages&gt;<BR />&lt;/Reponse&gt;</DIV><DIV>&nbsp;</DIV><DIV><SPAN>And I want to extract the below xml node and display it in a separate field.</SPAN></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;<SPAN>&lt;</SPAN><SPAN>UpdateAccountRq</SPAN><SPAN>&gt;</SPAN></DIV><DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</SPAN><SPAN>&lt;</SPAN><SPAN>AccountId</SPAN><SPAN>&gt;</SPAN><SPAN>123465</SPAN><SPAN>&lt;/</SPAN><SPAN>AccountId</SPAN><SPAN>&gt;</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp;</SPAN><SPAN>&lt;</SPAN><SPAN>NewStatus</SPAN><SPAN>&gt;</SPAN><SPAN>Active</SPAN><SPAN>&lt;/NewStatus</SPAN><SPAN>&gt;</SPAN></DIV><DIV><SPAN>&lt;/</SPAN><SPAN>UpdateAccountRq</SPAN><SPAN>&gt;</SPAN></DIV><DIV>&nbsp;</DIV><DIV><DIV><SPAN>I tried many ways, but nothing works.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Attempt 1:&nbsp; rex field=Action "messages&gt;(?&lt;Payload&gt;.+)&lt;\/messages" | table Action, Payload</SPAN></DIV><DIV><SPAN>Attempt 2:&nbsp; rex field=Action "\&lt;message id=\"Payload\"&gt;(?&lt;Payload&gt;[^&lt;\/message]+)" | table Action, Payload</SPAN></DIV><DIV>&nbsp;</DIV><DIV>Please help. Thanks</DIV></DIV></DIV></DIV> Thu, 07 Apr 2022 22:48:46 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593021#M206418 ssekar 2022-04-07T22:48:46Z Re: Regex for extracting a xml node from a xml feild https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593023#M206420 <P>If your document is conformant XML, you should use builtin commands such as <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath" target="_blank" rel="noopener">spath</A>; regex will be difficult to maintain if the format, or syntax, or schema change. &nbsp;In your case, assuming you have a field named "xml", you can do</P><P>&nbsp;</P><LI-CODE lang="markup">| spath input=xml path=Reponse.messages.message.UpdateAccountRq</LI-CODE><P>&nbsp;</P><P>Your sample data gives the following</P><TABLE width="700px"><TBODY><TR><TD width="352.921875px" height="25px">Reponse.messages.message.UpdateAccountRq</TD><TD width="346.078125px" height="25px">xml</TD></TR><TR><TD width="352.921875px" height="113px">&lt;AccountId&gt;123465&lt;/AccountId&gt; &lt;NewStatus&gt;Active&lt;/NewStatus&gt;</TD><TD width="346.078125px" height="113px">&lt;Reponse status="failure"&gt; &lt;messages&gt; &lt;message id="Payload"&gt; &lt;UpdateAccountRq&gt; &lt;AccountId&gt;123465&lt;/AccountId&gt; &lt;NewStatus&gt;Active&lt;/NewStatus&gt; &lt;/UpdateAccountRq&gt; &lt;/message&gt; &lt;/messages&gt; &lt;/Reponse&gt;</TD></TR></TBODY></TABLE><P>&nbsp;</P> Thu, 07 Apr 2022 23:45:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593023#M206420 yuanliu 2022-04-07T23:45:08Z Re: Regex for extracting a xml node from a xml feild https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593024#M206421 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;is correct, but for a pure <FONT face="courier new,courier">rex</FONT> solution, try this regex</P><LI-CODE lang="markup">\&lt;message id=\"Payload\"&gt;(?&lt;Payload&gt;[\s\S]+?)\&lt;\/message</LI-CODE><P>&nbsp;</P> Thu, 07 Apr 2022 23:50:54 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593024#M206421 richgalloway 2022-04-07T23:50:54Z Re: Regex for extracting a xml node from a xml feild https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593054#M206432 <LI-CODE lang="markup">| rex field=Action "(?ms)messages&gt;(?&lt;Payload&gt;.+)&lt;\/messages"</LI-CODE> Fri, 08 Apr 2022 06:41:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593054#M206432 ITWhisperer 2022-04-08T06:41:03Z Re: Regex for extracting a xml node from a xml feild https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593107#M206442 <P>Thanks for the help. All three are good answers.&nbsp;</P> Fri, 08 Apr 2022 12:44:50 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-a-xml-node-from-a-xml-feild/m-p/593107#M206442 ssekar 2022-04-08T12:44:50Z