We need to extract the value behind "<Computer>"
I have underlined it to make it easier. It would also be beneficial to have these broke out into single lines. Any help is greatly appreciated!
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object
I always recommend not to treat structured data such as XML as text. Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath.
I suspect the posted data is just a snippet and not the complete event. But the snippet itself looks compliant. If the raw event is compliant XML, Splunk should have given you fields like Event.System.Computer. If you don't have that, try set KV_MODE=xml. If there are other elements in raw event that are not part of XML, e.g., timestamp, log level, etc., you should use rex to extract the compliant XML into a field, say data, then use spath on it.
Here is an emulation based on your mock snippet, assuming you have the XML in data. (Replace with _raw if the entire event is XML.)
| makeresults
| eval data ="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData>"
``` data emulation above ```
| spath input=data
| fields - data _*
| transpose column_name=fieldname
| rename "row 1" as fieldvalue
This gives
fieldname | fieldvalue |
Event.EventData.Data | 157f6670-a34e-4258-8c5a-695a5d47a600 1 1 |
Event.EventData.Data{@Name} | InstanceId MaxRunspaces MinRunspaces |
Event.System.Channel | Microsoft-Windows-PowerShell/Operational |
Event.System.Computer | server.domain |
Event.System.Correlation{@ActivityID} | {157f6670-a34e-4258-8c5a-695a5d47a600} |
Event.System.EventID | 8194 |
Event.System.EventRecordID | 5161615 |
Event.System.Execution{@ProcessID} | 6056 |
Event.System.Execution{@ThreadID} | 5928 |
Event.System.Keywords | 0x0 |
Event.System.Level | 5 |
Event.System.Opcode | 16 |
Event.System.Provider{@Guid} | {a0c1853b-5c40-4b15-8766-3cf1c58f985a} |
Event.System.Provider{@Name} | Microsoft-Windows-PowerShell |
Event.System.Security{@UserID} | S-1-5-21-3521695231-3467208260-910013933-395133 |
Event.System.Task | 1 |
Event.System.TimeCreated{@SystemTime} | 2024-01-25T22:00:11.2420989Z |
Event.System.Version | 1 |
Event{@xmlns} | http://schemas.microsoft.com/win/2004/08/events/event |
Hope this helps.
I assume by break into single lines you mean expand to multiple events?
| rex max_match=0 "\<Computer\>(?<computer>[^\<]*)\</Computer\>"
| mvexpand computer