Use rex command in your search string like this:
...|rex "(?i)(?P<Host>192.168.144.1|192.168.244.1)" |search Host|.....
Hi,
This boils down to understanding how SPL work.
The search 192.168.(144 OR 244).1
work because you really do a free-text search. And this free-text search can be broken into three parts: 192.168.
(144 OR 244)
.1
. Which is just the same as writing "192.168." AND (144 OR 244) AND ".1"
, or ".1" AND "192.168." AND (144 OR 244)
If you check Job inspector, you will find good information on this. E.g. Splunk translate 192.168.(144 OR 244).1
into
keywords *.1* *192.168.* 144 244
This approach will not work as expected when searching in specific fields. Again, this is because Splunk break up the search into multiple statements.
srcIP=192.168.(144 OR 244).1
will be the same as writing srcIP="192.168." AND (144 OR 244) AND ".1"
, where (144 OR 244) AND ".1"
is a free-text search.
Cheers!
#Sven Emil
Aaah. Thank you alot!
There is no way to express exactly what you want. Btw while the following does not do the right thing
192.168. ( 144 OR 244 ) .1
May I ask what's the reason/value in shortening the search string?
192.168. ( 144 OR 244 ) .1
surely does not do the right thing, because you have 3 independent strings due to blank between the values and the brackets. I tested my approach | search 192.168.(144 OR 244).1
and it worked fine. Still I can't get it to work with a field e.g.: | search srcIP=192.168.(144 OR 244).1
Not sure if it does work:
192.168.(144 OR 244).1
Round brackets without subsearch.
I swear I tried that before! That works, thanks!
spooky 🙂