Hello, I tried with IFX, the problem is that the fields are extracted as the first, the "accès" does not appear:

If I display "view source" fields are visible :

On the Regex tester tool it is ok :

I do not understand because I have tried my hand with a regex tester (Kodos) and in the same way the code is to detect the field, but in Splunk, data back anyway.

If you are new in regex - as I am 🙂 - try to use :
Splunk's Field extractor (IFX)
or this very usefull regex tester tool : http://www.gskinner.com/RegExr/

Greetz Robert

Try the regex as Kristian posted (mofidied) :

(?msi)Accès\s+:\s+(ReadAttributes|SYNCHRONIZE)

It does not seem to work.
I attached a screenshot of the event that I want to filter:

Hello Robert,
I just want to filter events including the line "accès" contains "SYNCHRONIZE" or "ReadAttributes."
EventCode field is not enough, it is the 5145 and there are many.

Does your events look like that (single-line), or are they truly multi-line?

One thing that springs to mind is that the actual log event does NOT contain the equals-to character (=). Also, I'm not sure that the accented 'e' might cause problems, so I wildcarded it, and added one-or-more whitespaces after the colon.

Also, I removed the caret (start-of-line).

Try;

REGEX=(?msi)Acc.s:\s+(ReadAttributes|SYNCHRONIZE)

Hope this helps somewhat,

Kristian

I'm not shure, what you want to do ...

Do you want to filter all events where the string
"Accès" AND ("SYNCHRONIZE" OR "ReadAttributes")
occur?

Would be useful to specify your request.
Maybe it's better to filter by (known)fields like EventId, EventCode, etc. than plain strings ...

Greetz Robert