topic Re: How to merge two regex in single query? in Splunk Search

How to merge two regex in single query?

Rakzskull — Mon, 09 Jan 2023 06:07:24 GMT

I'd want to merge two regex strings into a single one; any suggestions would be greatly appreciated.

Reference Search Query -

index=* sourcetype=XYZ "<ABC2>" "<ABC1>"

| regex _raw="<ABC1>[^\x00-\x7F]"
| regex _raw="<ABC2>[^\x00-\x7F]"

Thanks in advance. 🙂

PaulPanther — Mon, 09 Jan 2023 07:46:55 GMT

Hello Rakzskull,

you can just combine two regex strings into one like everywhere else.

Easy example in your internal data would be

index=_internal | regex _raw="^(\d{2,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s-\s(splunk-system-user)"

If it does not work like expected please provide some example data and your regex strings.

Thank you!

ITWhisperer — Mon, 09 Jan 2023 08:58:31 GMT

If you know the order of ABC1 and ABC2 and you only want events where both start with a character outside the range then you could try

index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="<ABC1>[^\x00-\x7F].+<ABC2>[^\x00-\x7F]"

If you need either order, you could try

index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="(<ABC1>[^\x00-\x7F].+<ABC2>[^\x00-\x7F]|<ABC2>[^\x00-\x7F].+<ABC1>[^\x00-\x7F])"

Or if you want events where either start with a character outside the range

index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="(<ABC1>[^\x00-\x7F]|<ABC2>[^\x00-\x7F])"