Notepad++ regex not working

2

I am trying to use Notepad++ and regular expressions to remove all XML from Windows' events.

My regular expression is as follows:

Event Xml:(.|\n)+?Event>\n

Example Windows events are as follows:

Log Name:      System
Source:        Service Control Manager
Date:          2016/04/29 11:54:00
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      hostname.domainname
Description:
The Adobe Flash Player Update Service service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-04-29T10:54:00.113587400Z" />
    <EventRecordID>299771</EventRecordID>
    <Correlation />
    <Execution ProcessID="696" ThreadID="3904" />
    <Channel>System</Channel>
    <Computer>hostname.domainname</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Adobe Flash Player Update Service</Data>
    <Data Name="param2">stopped</Data>
    <Binary>410064006F006200650046006C0061007300680050006C0061007900650072005500700064006100740065005300760063002F0031000000</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        Service Control Manager
Date:          2016/04/29 11:54:00
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      hostname.domainname
Description:
The Adobe Flash Player Update Service service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-04-29T10:54:00.113587400Z" />
    <EventRecordID>299770</EventRecordID>
    <Correlation />
    <Execution ProcessID="696" ThreadID="3904" />
    <Channel>System</Channel>
    <Computer>hostname.domainname</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Adobe Flash Player Update Service</Data>
    <Data Name="param2">running</Data>
    <Binary>410064006F006200650046006C0061007300680050006C0061007900650072005500700064006100740065005300760063002F0034000000</Binary>
  </EventData>
</Event>

The aforementioned regular expression works in http://www.regexpal.com/: enter image description here

The aforementioned regular expression does not work in Notepad++: enter image description here

mythofechelon

Posted 2016-04-29T12:06:39.007

Reputation: 653

Answers

1

Regular expression \r\nEvent Xml:(.|\r\n)+?Event> worked exactly as desired in removing all instances regardless of trailing end-of-file newline and without enabling the option ". matches newline".

Before: enter image description here

After: enter image description here

Thanks to @DavidPostill and @Sylordis in helping me figure this out!

mythofechelon

Posted 2016-04-29T12:06:39.007

Reputation: 653

2

What is the regular expressions to remove all XML?

  • Menu "Search" > "Replace" (or Ctrl + H)

  • Set "Find what" to Event Xml:(.*?)Event>

  • Set "Replace with" to an empty string

  • Enable "Regular expression"

  • Enable ". matches newline"

  • Click "Replace All"

    enter image description here

Before:

Log Name:      System
Source:        Service Control Manager
Date:          2016/04/29 11:54:00
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      hostname.domainname
Description:
The Adobe Flash Player Update Service service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-04-29T10:54:00.113587400Z" />
    <EventRecordID>299771</EventRecordID>
    <Correlation />
    <Execution ProcessID="696" ThreadID="3904" />
    <Channel>System</Channel>
    <Computer>hostname.domainname</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Adobe Flash Player Update Service</Data>
    <Data Name="param2">stopped</Data>
    <Binary>410064006F006200650046006C0061007300680050006C0061007900650072005500700064006100740065005300760063002F0031000000</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        Service Control Manager
Date:          2016/04/29 11:54:00
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      hostname.domainname
Description:
The Adobe Flash Player Update Service service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-04-29T10:54:00.113587400Z" />
    <EventRecordID>299770</EventRecordID>
    <Correlation />
    <Execution ProcessID="696" ThreadID="3904" />
    <Channel>System</Channel>
    <Computer>hostname.domainname</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">Adobe Flash Player Update Service</Data>
    <Data Name="param2">running</Data>
    <Binary>410064006F006200650046006C0061007300680050006C0061007900650072005500700064006100740065005300760063002F0034000000</Binary>
  </EventData>
</Event>

After:

Log Name:      System
Source:        Service Control Manager
Date:          2016/04/29 11:54:00
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      hostname.domainname
Description:
The Adobe Flash Player Update Service service entered the stopped state.


Log Name:      System
Source:        Service Control Manager
Date:          2016/04/29 11:54:00
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      hostname.domainname
Description:
The Adobe Flash Player Update Service service entered the running state.

Further reading

DavidPostill

Posted 2016-04-29T12:06:39.007

Reputation: 118 938

That's great, thank you. Any idea why mine didn't work, though? – mythofechelon – 2016-04-29T13:01:49.607

Probably because of your <eol> characters. Windows is \r\n, Unix is \n, old Mac is \r. This can be a pain. – DavidPostill – 2016-04-29T13:04:38.757

@Syslordis After some testing, it seems that you were both right. With the option ". matches newline" disabled, the regex Event Xml:(.|\r\n)+?Event> performed the same as the regex Event Xml:(.*?)Event> and the regex Event Xml:(.|\r\n)+?Event>\r\n only replaced the first instance due to the lack of a pre-existing end of file newline. Any ideas how to also strip out the additional newlines? – mythofechelon – 2016-04-29T13:14:41.907

Either way it's a two step process. Add a <return> at the end of the last line and use Event Xml:(.*?)Event>[\r\n]+ or use Event Xml:(.*?)Event> and then replace [\r\n]+ with \r\n. – DavidPostill – 2016-04-29T13:24:07.080

@mythofechelon Great. If one of the answers helped you please remember to accept it ;) – DavidPostill – 2016-04-29T13:26:04.760

0

You have to check ". matches new line" option in notepad++, otherwise a regular expression should only be considered line by line.

Sylordis

Posted 2016-04-29T12:06:39.007

Reputation: 111

Performing the find and replace using the above regex and that option results in ALL text being replaced. – mythofechelon – 2016-04-29T12:33:25.960

I can't comment on David's post so I'm gonna do that here: your expression didn't work because you were searching for another line at the end of your expression, but the end of your file doesn't have a new line. – Sylordis – 2016-04-29T13:06:25.000

@Syslordis Surely it should have found the first instance at least? – mythofechelon – 2016-04-29T13:07:15.760

When I tried it did actually... Just take care where your cursor here when you search and deactivate the wrap search otherwise it selected the whole file. – Sylordis – 2016-05-02T13:52:37.977

Asked: 2016-04-29T12:06:39.007

Viewed: 1 858 times

Active: 2019-11-23T21:04:37.587