Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help With Regular Expression To Extract Values...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help With Regular Expression To Extract Values Between XML Element Tags on Multi-line
How to extract values between Elements tag.
<DataNode node-type="Contract">
<TransactionAttributes>
<entry key="CONTRACT_ID">contract2_100</entry>
</TransactionAttributes>
<Elements>
<ContractId>true</ContractId>
<DateOfBirth>true</DateOfBirth>
</Elements>
</DataNode>
<DataNode roster-type="search" node-type="Roster">
<TransactionAttributes>
<entry key="TRAN_ID">001</entry>
</TransactionAttributes>
<Elements>
<PhoneNo>true</PhoneNo>
<SNumber>true</SNumber>
</Elements>
</DataNode>
The following regular expression erroneously extract values apart from Element tags so Please let me know how to restrict it to retrieve values only between tags
rex "(?m)\<Elements>(?<abc>.*)</Elements>"
results in
<ContractId>true</ContractId><Name name-type="Name">true</Name><DateOfBirth>true</DateOfBirth></Elements></DataNode><DataNode ><TransactionAttributes><entry key="CONTRACT_ID">123</entry><entry
whereas the expected results is only between Elements tag i.e.
<ContractId>true</ContractId><Name name-type="Name">true</Name><DateOfBirth>true</DateOfBirth>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that .* matches greedy and so the matched part ends at the last occurrence of "</Elements>". You can make it work by adding the non-greedy quantifier: .*?
So this regex should work as expected:
rex "(?ms)\<Elements\>(?<abc>.*?)\</Elements\>"
In order to extract all matching parts of the event, you have to add the max_match parameter to the rex command. This instruct Splunk to make the resulting field multi-valued.
rex "(?ms)\<Elements\>(?<abc>.*?)\</Elements\>" max_match=999
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank. I need one more help. I am stranded extracting "values" only from below xml
I am expecting regex to give me output of values as: %, MALE, VA
rex "(?ms)<SearchElements>(?
Please take a moment to correct the regex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are a few links that might be helpful:
http://www.regular-expressions.info/
http://docs.python.org/library/re.html
http://gskinner.com/RegExr/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much once again. I would greatly appreciate if you could point me to good regular expression website specifically the one which helps me in writing fast Splunk queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modified the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much. But it doesn't picks the
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
