topic Pattern match on two different fields in Splunk Search

Pattern match on two different fields

tnkoehn — Mon, 28 Sep 2020 12:47:58 GMT

I am performing a search where I want to find events if one of two fields matches a specific pattern (which is the same for both fields). I've tried regex, but it doesn't seem to like an OR operator.

search traffic | transaction Acct_ID startswith="START" endswith="STOP" | regex Egress="^\w{3}\d{4}" OR regex Ingress="^\w{3}\d{4}"

Is there any way to do this?

Re: Pattern match on two different fields

alacercogitatus — Tue, 13 Nov 2012 18:59:09 GMT

I believe you are close, however since regex drops events, I'd go a different path and use some matching in eval. Try this:

search traffic | transaction Acct_ID startswith="START" endswith="STOP"| eval ematch=if(match(Egress,"^\w{3}\d{4}"),1,0)|eval imatch=if(match(Ingress,"^\w{3}\d{4}"),1,0)|where ematch>0 OR imatch>0

Re: Pattern match on two different fields

tnkoehn — Tue, 13 Nov 2012 19:10:40 GMT

You are a rock star! Works great. Thanks!

Re: Pattern match on two different fields

Rob — Tue, 13 Nov 2012 20:19:07 GMT

+1 @alacercogitatus Really nice way of avoiding using the regex command and using the eval functions instead. My solutions would have been to use rex to grab things out.

Re: Pattern match on two different fields

alacercogitatus — Tue, 13 Nov 2012 20:23:48 GMT

Thanks! Just doing my part to help!