How to extract "myuserid" from my _raw event?

sravankaripe · ‎03-07-2017

i want to retrieve myuserid from the below _raw event. please help me with rex in search.

<name>userid</name>\n <lvalue>\n <string>myuserid</string>\n

woodcock · ‎03-07-2017

Try this:

... | rex "(?ms)<name>userid<\/name>[\r\n]*<lvalue>[\r\n]<string>(?<userid>.*)<\/string>"

koshyk · ‎03-07-2017

Few assumptions
- Hope the above is NOT pure xml?
- assuming is a unique xml tag for myuserid

the regex is

| rex field=_raw "\<string\>(?<myuseridValue>.*)\<\/string\>"

Example query

| makeresults | eval _raw="<name>userid</name>\n <lvalue>\n <string>myuserid</string>\n " | rex field=_raw "\<string\>(?<myuseridValue>.*)\<\/string\>"| table _raw,myuseridValue

somesoni2 · ‎03-07-2017

Is it really a \n string in your data or they are representing new line? (your data is multiline)?

Also check if this works

your base search | rex "\<name\>userid([^\>]+\>){3}(?<userid>[^\<]+)"

sravankaripe · ‎03-07-2017

\n is a string

somesoni2 · ‎03-07-2017

Did you try the search I suggested?

How to extract "myuserid" from my _raw event?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to extract "myuserid" from my _raw event?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!