Archive
Highlighted

How to use OR or AND in searchmatch(X) function?

New Member

I am trying to use following query to generate some report put seems OR and AND is not working in searchmatch.

index=xxx sourcetype=xxxx | timechart count(eval(searchmatch("Login successful OR logged in"))) as Success,count(eval(searchmatch("Authentication failure OR Failed User"))) as Failed by sourcetype

It is working perfectly if I didn't use OR. Is there any alternative query to get same result as above query?

Tags (1)
0 Karma
Highlighted

Re: How to use OR or AND in searchmatch(X) function?

Legend

searchmatch(str) is really just an alias for match(_raw, str) and they're both regex based. So what you need is to use the pipe character which denotes an OR in regex:

... searchmatch("Authentication failure|Failed User")
Highlighted

Re: How to use OR or AND in searchmatch(X) function?

Motivator

Actually, what I am finding on the 6.x releases is that using a pipe in searchmatch as OR does not work -- it throws an error. However, if you use the match(_raw,regex) instead, the regex can have a pipe in it there.

0 Karma