Re: How to merge two regex in single query?

Rakzskull · ‎01-08-2023

I'd want to merge two regex strings into a single one; any suggestions would be greatly appreciated.

Reference Search Query -

index=* sourcetype=XYZ "<ABC2>" "<ABC1>"

| regex _raw="<ABC1>[^\x00-\x7F]"
| regex _raw="<ABC2>[^\x00-\x7F]"

Thanks in advance. 🙂

ITWhisperer · ‎01-09-2023

If you know the order of ABC1 and ABC2 and you only want events where both start with a character outside the range then you could try

index=* sourcetype=XYZ "<ABC2>" "<ABC1>"

| regex _raw="<ABC1>[^\x00-\x7F].+<ABC2>[^\x00-\x7F]"

If you need either order, you could try

index=* sourcetype=XYZ "<ABC2>" "<ABC1>"

| regex _raw="(<ABC1>[^\x00-\x7F].+<ABC2>[^\x00-\x7F]|<ABC2>[^\x00-\x7F].+<ABC1>[^\x00-\x7F])"

Or if you want events where either start with a character outside the range

index=* sourcetype=XYZ "<ABC2>" "<ABC1>"

| regex _raw="(<ABC1>[^\x00-\x7F]|<ABC2>[^\x00-\x7F])"

PaulPanther · ‎01-08-2023

Hello Rakzskull,

you can just combine two regex strings into one like everywhere else.

Easy example in your internal data would be

index=_internal | regex _raw="^(\d{2,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s-\s(splunk-system-user)"

If it does not work like expected please provide some example data and your regex strings.

Thank you!

How to merge two regex in single query?