Getting Data In

Splunk Forwarder $xmlregex

ashketchum
New Member

I'm looking for support on my $xmlregex Blacklist. I have checked as many previous tickets as I can and I'm still stuck.

It works when I put the events into regex101 which is why I'm so confused.

This is what I have ended up with:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
start_from = oldest
renderXml = 1
# 4100 Error Log | 4104 Script Block
whitelist = 4104,4100
blacklist  = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Program(?:\sFiles|Data)(\s\(x86\))?\\(?:qualys|Nexthink|uniFLOW\sSmartClient)\\$
blacklist1 = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Windows\\ccm\\$

I've had to use [\S\s]* because the it's a PowerShell script which has carriage returns in.

Any help would be massively appreciated.

Thanks! 

Labels (2)
0 Karma

lar06
Explorer

Have you tried not escaping the < and > chars ?

I've read somewhere escaping a non-special char might not work here.

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...