https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292135#M88250 <P>would be helpful if you can share full event.<BR /> also try and use regexr or regex101</P> Thu, 23 Mar 2017 12:54:32 GMT adonio 2017-03-23T12:54:32Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292134#M88249 <P>Hallo,<BR /> i have to filter the following literals in an event and i am new in regex:</P> <P>user:info <BR /> ifconfig</P> <P>both literals must be in that event.</P> <P>this don't works:<BR /> ^.<EM>?\buser:info\b.</EM>?\bifconfig\b.*?$</P> <P>Thank you for helping<BR /> Gerd</P> Thu, 23 Mar 2017 07:53:20 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292134#M88249 gerdhuber 2017-03-23T07:53:20Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292135#M88250 <P>would be helpful if you can share full event.<BR /> also try and use regexr or regex101</P> Thu, 23 Mar 2017 12:54:32 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292135#M88250 adonio 2017-03-23T12:54:32Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292136#M88251 <P>When you post code, be sure to highlight the code and press the "code" button - it looks like 101 010. That will keep the interface from treating the characters in the code as html or formatting commands.</P> Thu, 23 Mar 2017 13:42:05 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292136#M88251 DalJeanis 2017-03-23T13:42:05Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292137#M88252 <P>If you are coding the initial search, rather than using data that has already been pulled by some prior search, then this search will return only records on the index called "foo" which have both your search terms...</P> <PRE><CODE>index=foo "user:info" "ifconfig" </CODE></PRE> <P>For an initial search, that is the most efficient way. </P> <HR /> <P>On the other hand, if you are trying to reduce a prior selection to only records which have both those fields, you could use either of these...</P> <PRE><CODE>| search "user:info" AND "ifconfig" </CODE></PRE> <P>or </P> <PRE><CODE>| regex field=_raw "^.*?user:info.*?ifconfig.*$" </CODE></PRE> <HR /> <P>This regex will match events that have the two terms in that order...</P> <PRE><CODE>^.*?user:info.*?ifconfig.*$ </CODE></PRE> <P>There are additional things you could do to make the regex marginally more efficient when it FAILS to match the event, but that's all you really need.</P> <P>Note: in some contexts the <CODE>:</CODE> may need to be escaped, so the regex would look like this...</P> <PRE><CODE>^.*?user\:info.*?ifconfig.*$ </CODE></PRE> Thu, 23 Mar 2017 13:49:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292137#M88252 DalJeanis 2017-03-23T13:49:26Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292138#M88253 <P>Like this:</P> <PRE><CODE>(?ms)(?:user:info.*ifconfig)|(?:ifconfig.*user:info) </CODE></PRE> Thu, 23 Mar 2017 14:22:40 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292138#M88253 woodcock 2017-03-23T14:22:40Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292139#M88254 <P>Thank you </P> Fri, 24 Mar 2017 06:33:06 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-regex-in-transforms-conf-to-find-two-words-in-an/m-p/292139#M88254 gerdhuber 2017-03-24T06:33:06Z