I need to be able to do:
... | regex fieldA="<regex>" OR regex fieldB="<regex>" | ...
All of the other rex answers are suggesting a pipe, which wouldn't work here as far as I know.
Give this a shot (not tested; might work):
... | eval x=if(match(sender, "(?i)abc\d+@gmail.com"), 1, null)
| eval y=if(match(message_subject, "aBC|baC"), 1, null)
| stats count by x, y
| where count > 1
Give this a shot (not tested; might work):
... | eval x=if(match(sender, "(?i)abc\d+@gmail.com"), 1, null)
| eval y=if(match(message_subject, "aBC|baC"), 1, null)
| stats count by x, y
| where count > 1
Thanks a bunch!! An admin should convert your comment to an answer. Much more elgant than what I did. I concat’d the two fields with a “#” in between and then regex’d on that new single field; the regex OR’d the before # and after #. Your solution is neater.
Hi @nick405060, you asked and therefore, you received. I converted @nittala_surya 's comment to an answer. Would you mind approving it for me? Why not throw that user an upvote while you're at it ![]()
Thanks for posting!
I think you can achieve this with eval rather than rex. Can you paste some redacted events.
regex sender="(?i)abc\d+@gmail.com" OR
message_subject="aBC|baC"
It's definitely possible using eval and then a single regex search, but if anyone else has a less messy and more elegant way of doing this, it would be much appreciated (and I'm sure other people will/have wanted to do the same thing)
Why use an OR? Why not just create two different fields? You're trying to capture different values right?
I already have the two fields. I need to alert if one or both of them matches their respective regex.