I have some XML responses logged in Splunk which is pretty nested. Let's say there are multiple records of the form.
<records>
<record>
<Full Name>Ms. Brown Grimes</Full Name>
<Country>Dronning Maud Land</Country>
<NotificationEmail>Sam.Lemke@mckenzie.info</NotificationEmail>
<Created At>Fri Aug 25 1989 22:17:00 GMT-0700 (Pacific Daylight Time)</Created At>
<Id>10</Id>
<Email>Sam.Lemke@mckenzie.info</Email>
</record>
<record>
<Full Name>Irma Ledner I</Full Name>
<Country>Vatican City</Country>
<NotificationEmail>GabrielleGmail@gmail.com</NotificationEmail>
<Created At>Tue Nov 30 1993 08:16:58 GMT-0800 (Pacific Standard Time)</Created At>
<Id>12</Id>
<Email>Gabrielle@myrl.biz</Email>
</record>
</records>
Now I want to find all records where NotificationEmail is not equal to Email.
What I was trying was piping to regex extractor.
rex "<record.*NotificationEmail>(?<nemail>\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b)<.*Email>(?<email>\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b)<"
where \b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b is the regex to match email.
... View more