Solved: How to use multiple regular expressions in a singl...

neelakanta · ‎12-01-2014

I would like to use multiple regexes in single query. source data is full of random logs which has many fields. I am interested only on URL.

regex url="(:1000\/[a-zA-Z0-9]{10,20}\?[a-zA-Z0-9]{30} OR \/\/[0-9a-zA-Z.]{50,80}\/[0-9a-zA-Z.]{32}\/)"
regex url="(:1000\/[a-zA-Z0-9]{10,20}\?[a-zA-Z0-9]{30} | \/\/[0-9a-zA-Z.]{50,80}\/[0-9a-zA-Z.]{32}\/)"

does not return any results whereas individual regex fetches results.

neelakanta · ‎12-01-2014

those who would want to use multiple regex they can do this way:

index= source_index |regex url=":1000/[a-zA-Z0-9]{10,20}?[a-zA-Z0-9]{30}|[0-9a-zA-Z.]{50,80}/[0-9a-zA-Z.]{32}/" |table fields1 field2 field3

make sure no spaces around "|"

View solution in original post

tachifelix · ‎12-12-2014

you can use pipe character to separate it

regex url="(:1000/[a-zA-Z0-9]{10,20}?[a-zA-Z0-9]{30} OR //[0-9a-zA-Z.]{50,80}/[0-9a-zA-Z.]{32}/)|(:1000/[a-zA-Z0-9]{10,20}?[a-zA-Z0-9]{30} | //[0-9a-zA-Z.]{50,80}/[0-9a-zA-Z.]{32}/)"

neelakanta · ‎12-01-2014

those who would want to use multiple regex they can do this way:

index= source_index |regex url=":1000/[a-zA-Z0-9]{10,20}?[a-zA-Z0-9]{30}|[0-9a-zA-Z.]{50,80}/[0-9a-zA-Z.]{32}/" |table fields1 field2 field3

make sure no spaces around "|"

neelakanta · ‎12-01-2014

Fields are ip time host url accesstype
xx.xxx.xx.xx "01/06/2012:HH:MM:SS IST" hostname "ip:1000/abcd01234?/abcd1234/"
yy.yyy.yy.yy "01/06/2012:HH:MM:SS IST" hostname "domainname/abcd01234?/abcd1234/.php"

richgalloway · ‎12-01-2014

Can you provide some samples of the data you are trying to search?

---
If this reply helps you, Karma would be appreciated.

How to use multiple regular expressions in a single search query to extract only the URLs in my data?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies