Splunk Search

Can you help me with the following regex?

Contributor

Hello

I want to add a rex field in my search

index="ai-wkst-wineventlog-fr" sourcetype="XmlWinEventLog" source="XmlWinEventLog:Application" (Level=1 OR Level=3) Name="'*'"

I want to extract the text which is included before "ProgID" and after "" and also the text which is after "ProgID"

Outlook a désactivé le ou les compléments suivants :
ProgID : WebExOI.Addin

Could you help me please??

Tags (2)
0 Karma
1 Solution

Esteemed Legend

Like this:

(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)

See here:
https://regex101.com/r/QdSDvV/1

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

hi @jip31

Did any of the answers below solve your problem? If so, please resolve this post by approving the one that helped you. If your problem is still not solved, keep us updated so that someone else can help. Thanks for posting!

0 Karma

Contributor

Hello all and many thanks
I want to add this regex in my query
what is the good syntax please?
| rex field=EventData_Xml "(?ms)^(?.?)\s:[\r\n\s]+ProgID\s+:\s+(?[^\r\n]+)f" | table message ProgID
| rex field=EventData_Xml "(?[^\r\n:]+)\s:\s*ProgID\s:\s(?[^\r\n]+)3 | table text1 text2
?????

0 Karma

Builder

This looks like a different question to be asked.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

Like this:

(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)

See here:
https://regex101.com/r/QdSDvV/1

View solution in original post

0 Karma

Contributor

I have no result Wen i do this
| rex field=EventData_Xml "(?ms)^(?.?)\s:[\r\n\s]+ProgID\s+:\s+(?[^\r\n]+)f "| table message ProgID

0 Karma

Esteemed Legend

I had an extra trailing f character (now deleted). Try this:

Your Search Here:
| rex field=EventData_Xml "(?ms)^(?<message>.*?)\s*:[\r\n\s]+ProgID\s+:\s+(?<ProgID>[^\r\n]+)"| table message ProgID
0 Karma

Esteemed Legend

Did this work @jip31?

0 Karma

Contributor

yes thanks!

0 Karma

Explorer

Hi. Please, try this one (.?[\r\n]){1}+(.?[\r\n]){1}

I`ve tested on regex101.com and it looks like exactly that you are looking for.

alt text

0 Karma

Ultra Champion

Try this: (?<text1>[^\r\n:]+)\s:\s*ProgID\s:\s(?<text2>[^\r\n]+)
https://regex101.com/r/fRXqTf/1

0 Karma

Contributor

hello I dont succeed to used it does it something like this :???

rex field=EventData_Xml "(?[^\r\n:]+)\s:\s*ProgID\s:\s(?[^\r\n]+)" | table EventData_Xml

0 Karma

Ultra Champion

Can you please make sure to post any code between `? Or format it as a code snippet using the 101010 button in the editor toolbar? Now special characters like <> disappear.

It should be something like:

| rex field=EventData_Xml "(?<message>[^\r\n:]+)\s:\s*ProgID\s:\s(?<ProgID>[^\r\n]+)" | table message ProgID

If that isn't working, then I'd like to see a screenshot, or more extensive piece of sample data.

0 Karma

Contributor

sorry franck no it doesnt works
you can see the code here
https://cjoint.com/c/HKAjr4hOctc

0 Karma

Ultra Champion

Can you:
- show a screenshot that clearly shows the EventData_Xml field exists and what it look like (feel free to mask any sensitive data)
- test the search in a simple way (so without all the rest of your query), just get the data and apply the rex command.

0 Karma

Contributor

Here is the screenshot

https://cjoint.com/c/HKAlomr50Rc
no results also in simple way

0 Karma

Ultra Champion

Works fine for me: https://imgur.com/a/ew8Io7c

Can you share a screenshot of the search giving no results?

0 Karma

SplunkTrust
SplunkTrust

Hi. Can you provide log samples?

0 Karma

Contributor

hi
Outlook a désactivé le ou les compléments suivants :
ProgID : ColleagueImport.ColleagueImportAddin
GUID : {EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120}
Nom : Microsoft SharePoint Server Colleague Import Add-in

0 Karma