Hi,
I've actually just been looking into the same thing. It looks like you need to include a capture group within your regex that will match something in the event.
I found the best way to get this right the first time round is by starting with a search in Splunk web that includes the regex command to test your regex quickly. Something like the example below should match your event. (Change the index to suit your needs)
index=* | regex _raw="(?<=Level\>)(4)"
If this works then you know your regex is matching correctly, you should then be able to take that and add it to a blacklist or whitelist depending on what you want
whitelist = $XmlRegex = '(?<=Level\>)(4)'
blacklist = $XmlRegex = '(?<=Level\>)(4)'
I also like to use https://regex101.com/ when I'm doing anything with regex, I'd recommend checking it out.
... View more