Splunk Search

Is there a more efficient way to match multiple values using rex?

richnavis88
Explorer

Hello,  I have to avoid matching several values in a fields.  The following works, but I"m wondering if there is a more efficient way... 
index=wineventlog host="myhost" EventCode=7036 | regex Message!="WMI" | regex Message!="WinHTTP"

Labels (1)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There are few ways to go.

There first is to put the regex strings in the base search.

index=wineventlog host="myhost" EventCode=7036 Message IN ("*WMI*" "*WinHTTP*")

Another is to combine the regular expressions into a single regex command.

index=wineventlog host="myhost" EventCode=7036 | regex Message!="(WMI)|(WinHTTP)"

Yet another is to extract the desired strings and then filter on them.

index=wineventlog host="myhost" EventCode=7036 
| rex field=Message "(?<msg>WMI)" 
| rex field=Message "(?<msg>WinHTTP)"
| where isnotnull(msg)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

johnhuang
Motivator

Any of these should be much faster with #2 and #3 being incrementally faster than the previous in the order.

1. index=wineventlog host="myhost" EventCode=7036 NOT Message IN ("*WMI*", "*WinHTTP*")
2. index=wineventlog host="myhost" TERM(EventCode=7036) NOT Message IN ("*WMI*", "*WinHTTP*")
3. index=wineventlog host="myhost" TERM(EventCode=7036) NOT WMI NOT WinHTTP NOT Message IN ("*WMI*", "*WinHTTP*")

richgalloway
SplunkTrust
SplunkTrust

There are few ways to go.

There first is to put the regex strings in the base search.

index=wineventlog host="myhost" EventCode=7036 Message IN ("*WMI*" "*WinHTTP*")

Another is to combine the regular expressions into a single regex command.

index=wineventlog host="myhost" EventCode=7036 | regex Message!="(WMI)|(WinHTTP)"

Yet another is to extract the desired strings and then filter on them.

index=wineventlog host="myhost" EventCode=7036 
| rex field=Message "(?<msg>WMI)" 
| rex field=Message "(?<msg>WinHTTP)"
| where isnotnull(msg)
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...