https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629152#M218542 <P>Hello,</P> <P>I am trying to get regex to work in ingest actions to match a list of event codes from Window Security Logs.&nbsp;&nbsp;</P> <P>The following regex matches sample text on regex101.com</P> <P>&nbsp;</P> <LI-CODE lang="markup">^(EventCode=(1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447))$</LI-CODE> <P>&nbsp;</P> <P>But it doesn't find in matches when using in ingest actions.</P> <P>Given the eventcodes listed above, can someone assist me with finding the correct regex that will work inside of ingest actions?</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-01 at 6.55.55 AM.png" style="width: 748px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23663iA67B09D976ED6EB2/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-01 at 6.55.55 AM.png" alt="Screenshot 2023-02-01 at 6.55.55 AM.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-01 at 6.53.43 AM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23664iEF79DD1A9945D9FF/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-01 at 6.53.43 AM.png" alt="Screenshot 2023-02-01 at 6.53.43 AM.png" /></span></P> Wed, 01 Feb 2023 16:36:20 GMT garrywilmeth 2023-02-01T16:36:20Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629152#M218542 <P>Hello,</P> <P>I am trying to get regex to work in ingest actions to match a list of event codes from Window Security Logs.&nbsp;&nbsp;</P> <P>The following regex matches sample text on regex101.com</P> <P>&nbsp;</P> <LI-CODE lang="markup">^(EventCode=(1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447))$</LI-CODE> <P>&nbsp;</P> <P>But it doesn't find in matches when using in ingest actions.</P> <P>Given the eventcodes listed above, can someone assist me with finding the correct regex that will work inside of ingest actions?</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-01 at 6.55.55 AM.png" style="width: 748px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23663iA67B09D976ED6EB2/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-01 at 6.55.55 AM.png" alt="Screenshot 2023-02-01 at 6.55.55 AM.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-01 at 6.53.43 AM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23664iEF79DD1A9945D9FF/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-01 at 6.53.43 AM.png" alt="Screenshot 2023-02-01 at 6.53.43 AM.png" /></span></P> Wed, 01 Feb 2023 16:36:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629152#M218542 garrywilmeth 2023-02-01T16:36:20Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629162#M218545 <P>Eliminate the ^ and $ from the regex.&nbsp; The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.</P> Wed, 01 Feb 2023 15:47:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629162#M218545 richgalloway 2023-02-01T15:47:52Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629163#M218546 <P>Beautiful!&nbsp; Too easy <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Thanks so much.</P> Wed, 01 Feb 2023 15:51:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629163#M218546 garrywilmeth 2023-02-01T15:51:56Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629165#M218547 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;How could I flip that so the regex matches anything that is not in that list?</P><P>Thanks,</P><P>Garry</P> Wed, 01 Feb 2023 16:00:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629165#M218547 garrywilmeth 2023-02-01T16:00:23Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629195#M218554 <P>Regex doesn't do negation well, but you can try this</P><LI-CODE lang="markup">EventCode=(?!1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447)</LI-CODE> Wed, 01 Feb 2023 17:42:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-regex-for-ingest-actions-to-match-a-list-of/m-p/629195#M218554 richgalloway 2023-02-01T17:42:15Z