Splunk Search

Can you help me with the following regex?

jip31
Motivator

Hello

I want to add a rex field in my search

index="ai-wkst-wineventlog-fr" sourcetype="XmlWinEventLog" source="XmlWinEventLog:Application" (Level=1 OR Level=3) Name="'*'"

I want to extract the text which is included before "ProgID" and after "" and also the text which is after "ProgID"

Outlook a désactivé le ou les compléments suivants :
ProgID : WebExOI.Addin

Could you help me please??

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)

See here:
https://regex101.com/r/QdSDvV/1

View solution in original post

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @jip31

Did any of the answers below solve your problem? If so, please resolve this post by approving the one that helped you. If your problem is still not solved, keep us updated so that someone else can help. Thanks for posting!

0 Karma

jip31
Motivator

Hello all and many thanks
I want to add this regex in my query
what is the good syntax please?
| rex field=EventData_Xml "(?ms)^(?.?)\s:[\r\n\s]+ProgID\s+:\s+(?[^\r\n]+)f" | table message ProgID
| rex field=EventData_Xml "(?[^\r\n:]+)\s:\s*ProgID\s:\s(?[^\r\n]+)3 | table text1 text2
?????

0 Karma

efavreau
Motivator

This looks like a different question to be asked.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

woodcock
Esteemed Legend

Like this:

(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)

See here:
https://regex101.com/r/QdSDvV/1

0 Karma

jip31
Motivator

I have no result Wen i do this
| rex field=EventData_Xml "(?ms)^(?.?)\s:[\r\n\s]+ProgID\s+:\s+(?[^\r\n]+)f "| table message ProgID

0 Karma

woodcock
Esteemed Legend

I had an extra trailing f character (now deleted). Try this:

Your Search Here:
| rex field=EventData_Xml "(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)"| table message ProgID
0 Karma

woodcock
Esteemed Legend

Did this work @jip31?

0 Karma

jip31
Motivator

yes thanks!

0 Karma

wagnerlucena
Explorer

Hi. Please, try this one (.?[\r\n]){1}+(.?[\r\n]){1}

I`ve tested on regex101.com and it looks like exactly that you are looking for.

alt text

0 Karma

FrankVl
Ultra Champion

Try this: (?<text1>[^\r\n:]+)\s:\s*ProgID\s:\s(?<text2>[^\r\n]+)
https://regex101.com/r/fRXqTf/1

0 Karma

jip31
Motivator

hello I dont succeed to used it does it something like this :???

rex field=EventData_Xml "(?[^\r\n:]+)\s:\s*ProgID\s:\s(?[^\r\n]+)" | table EventData_Xml

0 Karma

FrankVl
Ultra Champion

Can you please make sure to post any code between `? Or format it as a code snippet using the 101010 button in the editor toolbar? Now special characters like <> disappear.

It should be something like:

| rex field=EventData_Xml "(?<message>[^\r\n:]+)\s:\s*ProgID\s:\s(?<ProgID>[^\r\n]+)" | table message ProgID

If that isn't working, then I'd like to see a screenshot, or more extensive piece of sample data.

0 Karma

jip31
Motivator

sorry franck no it doesnt works
you can see the code here
https://cjoint.com/c/HKAjr4hOctc

0 Karma

FrankVl
Ultra Champion

Can you:
- show a screenshot that clearly shows the EventData_Xml field exists and what it look like (feel free to mask any sensitive data)
- test the search in a simple way (so without all the rest of your query), just get the data and apply the rex command.

0 Karma

jip31
Motivator

Here is the screenshot

https://cjoint.com/c/HKAlomr50Rc
no results also in simple way

0 Karma

FrankVl
Ultra Champion

Works fine for me: https://imgur.com/a/ew8Io7c

Can you share a screenshot of the search giving no results?

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi. Can you provide log samples?

0 Karma

jip31
Motivator

hi
Outlook a désactivé le ou les compléments suivants :
ProgID : ColleagueImport.ColleagueImportAddin
GUID : {EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120}
Nom : Microsoft SharePoint Server Colleague Import Add-in

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...