hope to find here some help.
I've tried now several things including searching in the answers here but don't find the solution.
I've for example a log file that is structured like that
<?xml version="1.0" encoding="UTF-8"?>....
<Description>cli for user firstname.lastname@example.org</Description>
With the rex expression
`rex field=_raw ".*FLR</Result>\s+<EndTime>(?<EndTime>.*?)</EndTime>"`
I get the EndTime value. No problem.
But now I want to search to the first FLR and then to the
`rex field=_raw ".*FLR</Result>[WHATISMISSINGHERE??]<NlMsgId>(?<BMCI>.*?)</NlMsgId>"`
What I've to set for a regular expression that it leaves out the text between
I can't search directly for the
<NlMsgId> because there are also other before the not listed text.
I've tried star and a lot of other things with no success 😞
Also does someone has some hints where to best start so I get more familar with those regular expressions?
Thanks a lot and cheers
Firstly, you need an expression to match any character, including a newline. The dot does not match a newline by default, so you need alternation. Then, to remove everything up to the tag
<NlMsgId>, you could use a zero-width look-ahead assertion, which checks for the text following your expression.
So try this:
rex field=_raw ".*FLR</Result>(?:\n|.)*(?=<NlMsgId>)<NlMsgId>(?<BMCI>.*?)</NlMsgId>"
(?:\n|.)*matches any sequence of characters, including a newline
(?=<NlMsgId>)checks that the previous expression is followed by
<NlMsgId>, without "eating up" the match, so it is left for the next expression to pick up
thanks a lot for your support.
I've tried several things but unfortunately it did not work 😞
This is my command string
index=patrol sourcetype=pserverlog FLR CmdbId "<SmmPublishRollback>" | rex field=_raw ".*FLR</Result>(?:\n|.)*(?=<NlMsgId>)<NlMsgId>(?<BMCI>.*?)</NlMsgId>" | table _time BMCI
Only the time column will be shown.
Thanks and cheers
no, I've appended only the search part in front, place your rex line and appended teh tabel formatting. What do you mean with does not match the previous data?
I mean that the data you've pasted into the question will not be matched by the search, as it does not contain
<SmmPublishRollback>. Maybe you didn't past all the data into the question?
sorry for the confusion. yes, there is much more data in the log. That was the reason that I've palced some ..... there. Tehb event that will be found could have 244 lines and the part that I've listed is included.
Perhaps using xpath would help you? Quick testing with the following command yields results for me:
your_search |xpath outfield=NlMsgId "*/Replies/ReplyLast[Result="FLR"]/ResultNlMsg/NlMsgId"
Note, according to the documentation for xpath, you should need to escape the quotes surrounding
FLR. However, escaping the quotes does not work for me, but the search included does.
Mind you, if your data is complete and well formed, you might benefit from using the complete path, rather than a path with an asterisk, as I have done.