Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I "OR" two regexs for two different fields?

nick405060
Motivator
‎08-30-2018 11:55 AM

I need to be able to do:

... | regex fieldA="<regex>" OR regex fieldB="<regex>" | ...

All of the other rex answers are suggesting a pipe, which wouldn't work here as far as I know.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-30-2018 02:34 PM

Give this a shot (not tested; might work): 

... | eval x=if(match(sender, "(?i)abc\d+@gmail.com"), 1, null)
    | eval y=if(match(message_subject, "aBC|baC"), 1, null)
    | stats  count by x, y 
    | where count > 1

View solution in original post

Reply
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-30-2018 02:34 PM

Give this a shot (not tested; might work): 

... | eval x=if(match(sender, "(?i)abc\d+@gmail.com"), 1, null)
    | eval y=if(match(message_subject, "aBC|baC"), 1, null)
    | stats  count by x, y 
    | where count > 1
Reply
Solved! Jump to solution

nick405060
Motivator
‎08-30-2018 03:15 PM

Thanks a bunch!! An admin should convert your comment to an answer. Much more elgant than what I did. I concat’d the two fields with a “#” in between and then regex’d on that new single field; the regex OR’d the before # and after #. Your solution is neater.

Reply
Solved! Jump to solution

mstjohn_splunk
Splunk Employee
Splunk Employee
‎08-30-2018 03:18 PM

Hi @nick405060, you asked and therefore, you received. I converted @nittala_surya 's comment to an answer. Would you mind approving it for me? Why not throw that user an upvote while you're at it 😉

Thanks for posting!

Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-30-2018 01:06 PM

I think you can achieve this with eval rather than rex. Can you paste some redacted events.

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎08-30-2018 01:10 PM

regex sender="(?i)abc\d+@gmail.com" OR
message_subject="aBC|baC"

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎08-30-2018 01:18 PM

It's definitely possible using eval and then a single regex search, but if anyone else has a less messy and more elegant way of doing this, it would be much appreciated (and I'm sure other people will/have wanted to do the same thing)

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-30-2018 12:17 PM

Why use an OR? Why not just create two different fields? You're trying to capture different values right?

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎08-30-2018 12:44 PM

I already have the two fields. I need to alert if one or both of them matches their respective regex.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...