splunk – Regex Search for absence of a string inside a string multiline

I have an xml file with a bunch of query strings. I need to check for the absence of a command in each query.

Simplistically, I can identify a string which does not contain the substring. The pattern here correctly and only matches the 2nd row. Easy enough.

aa((?<!bb).)*?dd

aa-ee-bb-cc-dd
aa-ee-cc-dd

But when I attempt this in larger and multiline strings in my xml file, it captures all strings, even ones which contain the substring.

Goal: Look for strings inside of <query> element without “sistats” somewhere in it and not leak into the next query.

Here all 4 query strings are matched, even ones containing sistats. Only the bottom 3 should match.

(?s)(<search\s+id=".+?">).*?<query>((?<!sistats).)*?((?<!<\/search>).)*?<\/query>

<form>
  <search id="id1">
    <query>index=asdf
| fields asdf
| sistats count</query>
  </search>
  <search id="id2">
    <query>index=asdf
| fields asdf
| chart count</query>
  </search>
  <search id="id3">
    <query>index=asdf
| fields asdf
| sitimechart
| table asdf</query>
  </search>
  <search id="id4">
    <query>index=asdf
| table asdf</query>
  </search>
  <row>
    <panel>

regex101.com/r/V4ztar/1

How can i match only the bottom 3?

Read more here: Source link