Splunk Search

How do I "OR" two regexs for two different fields?

nick405060
Motivator

I need to be able to do:

... | regex fieldA="<regex>" OR regex fieldB="<regex>" | ...

All of the other rex answers are suggesting a pipe, which wouldn't work here as far as I know.

Tags (1)
1 Solution

sudosplunk
Motivator

Give this a shot (not tested; might work):

... | eval x=if(match(sender, "(?i)abc\d+@gmail.com"), 1, null)
    | eval y=if(match(message_subject, "aBC|baC"), 1, null)
    | stats  count by x, y 
    | where count > 1

View solution in original post

sudosplunk
Motivator

Give this a shot (not tested; might work):

... | eval x=if(match(sender, "(?i)abc\d+@gmail.com"), 1, null)
    | eval y=if(match(message_subject, "aBC|baC"), 1, null)
    | stats  count by x, y 
    | where count > 1

nick405060
Motivator

Thanks a bunch!! An admin should convert your comment to an answer. Much more elgant than what I did. I concat’d the two fields with a “#” in between and then regex’d on that new single field; the regex OR’d the before # and after #. Your solution is neater.

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @nick405060, you asked and therefore, you received. I converted @nittala_surya 's comment to an answer. Would you mind approving it for me? Why not throw that user an upvote while you're at it :winking_face:

Thanks for posting!

sudosplunk
Motivator

I think you can achieve this with eval rather than rex. Can you paste some redacted events.

0 Karma

nick405060
Motivator

regex sender="(?i)abc\d+@gmail.com" OR
message_subject="aBC|baC"

0 Karma

nick405060
Motivator

It's definitely possible using eval and then a single regex search, but if anyone else has a less messy and more elegant way of doing this, it would be much appreciated (and I'm sure other people will/have wanted to do the same thing)

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Why use an OR? Why not just create two different fields? You're trying to capture different values right?

0 Karma

nick405060
Motivator

I already have the two fields. I need to alert if one or both of them matches their respective regex.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...