Field sample: <"Data Name='Description'>Microsoft ® Console Based Script Host"<"/Data">
| rex ""(?[a-zA-Z0-9.: \\]+)<\/Data>
| rex (?[a-zA-Z0-9.: \\]+)
| rex (?[a-zA-Z0-9.: \\]+)
Missing or malformed messages.conf stanza for SEARCHFACTORY:UNKNOWN_OP__a
using | rex (?\d+)<\/EventID> which does not have <"EventID='something'"> works fine
The error was in case of placing ["'] symbols
| rex (?\w+[a-zA-Z0-9:;'"./\])</\Data>
| lookup sys.csv EventID OUTPUT Description
| stats c by EventID,Date,Description
Unknown search command 'a'.
I am making a HUGE guess that the desire is that a field called Description
should obtain a value called "Microsoft ® Console Based Script Host"
and that other similarly encoded KVPs should be created likewise. If so, try this:
... | eval _raw="<\"Data Name='Description'>Microsoft ® Console Based Script Host\"<\"/Data\">"
| rex max_match=0 "Data Name='(?<key>[^']+)'\>(?<value>[^\"]+)"
| rex field=value mode=sed "s/^/\"/ s/$/\"/"
| eval _raw = mvzip(key, value, "=")
| kv
""<"Data Name='Image'">C:\Program Files\Splunk\bin\splunkd.exe<"/Data">""
| rex field=_raw (?[a-zA-Z0-9.: \]+)<\/Data>
this is my example
What is your question? What field(s) are you trying to extract?
Please edit your question to restore the regular expressions. Don't change the indentation.
""<"Data Name='Image'">C:\Program Files\Splunk\bin\splunkd.exe<"/Data">""
| rex field=_raw (?[a-zA-Z0-9.: \]+)<\/Data>
this is my example