i want to retrieve myuserid from the below _raw event. please help me with rex in search.
<name>userid</name>\n <lvalue>\n <string>myuserid</string>\n
Try this:
... | rex "(?ms)<name>userid<\/name>[\r\n]*<lvalue>[\r\n]<string>(?<userid>.*)<\/string>"
Few assumptions
- Hope the above is NOT pure xml?
- assuming is a unique xml tag for myuserid
the regex is
| rex field=_raw "\<string\>(?<myuseridValue>.*)\<\/string\>"
Example query
| makeresults | eval _raw="<name>userid</name>\n <lvalue>\n <string>myuserid</string>\n " | rex field=_raw "\<string\>(?<myuseridValue>.*)\<\/string\>"| table _raw,myuseridValue
Is it really a \n
string in your data or they are representing new line? (your data is multiline)?
Also check if this works
your base search | rex "\<name\>userid([^\>]+\>){3}(?<userid>[^\<]+)"
\n is a string
Did you try the search I suggested?