splunk – Regex Search for absence of a string inside a string multiline
I have an xml file with a bunch of query strings. I need to check for the absence of a command in each query.
Simplistically, I can identify a string which does not contain the substring. The pattern here correctly and only matches the 2nd row. Easy enough.
aa((?<!bb).)*?dd
aa-ee-bb-cc-dd
aa-ee-cc-dd
But when I attempt this in larger and multiline strings in my xml file, it captures all strings, even ones which contain the substring.
Goal: Look for strings inside of <query> element without “sistats” somewhere in it and not leak into the next query.
Here all 4 query strings are matched, even ones containing sistats. Only the bottom 3 should match.
(?s)(<search\s+id=".+?">).*?<query>((?<!sistats).)*?((?<!<\/search>).)*?<\/query>
<form>
<search id="id1">
<query>index=asdf
| fields asdf
| sistats count</query>
</search>
<search id="id2">
<query>index=asdf
| fields asdf
| chart count</query>
</search>
<search id="id3">
<query>index=asdf
| fields asdf
| sitimechart
| table asdf</query>
</search>
<search id="id4">
<query>index=asdf
| table asdf</query>
</search>
<row>
<panel>
How can i match only the bottom 3?
Read more here: Source link