Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there a more efficient way to match multiple values using rex?

richnavis88
Explorer
‎10-24-2022 10:59 AM

Hello,  I have to avoid matching several values in a fields.  The following works, but I"m wondering if there is a more efficient way... 
index=wineventlog host="myhost" EventCode=7036 | regex Message!="WMI" | regex Message!="WinHTTP"

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-24-2022 11:28 AM

There are few ways to go.

There first is to put the regex strings in the base search.

index=wineventlog host="myhost" EventCode=7036 Message IN ("*WMI*" "*WinHTTP*")

Another is to combine the regular expressions into a single regex command.

index=wineventlog host="myhost" EventCode=7036 | regex Message!="(WMI)|(WinHTTP)"

Yet another is to extract the desired strings and then filter on them.

index=wineventlog host="myhost" EventCode=7036 
| rex field=Message "(?<msg>WMI)" 
| rex field=Message "(?<msg>WinHTTP)"
| where isnotnull(msg)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎10-24-2022 01:08 PM

Any of these should be much faster with #2 and #3 being incrementally faster than the previous in the order.

1. index=wineventlog host="myhost" EventCode=7036 NOT Message IN ("*WMI*", "*WinHTTP*")
2. index=wineventlog host="myhost" TERM(EventCode=7036) NOT Message IN ("*WMI*", "*WinHTTP*")
3. index=wineventlog host="myhost" TERM(EventCode=7036) NOT WMI NOT WinHTTP NOT Message IN ("*WMI*", "*WinHTTP*")

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-24-2022 11:28 AM

There are few ways to go.

There first is to put the regex strings in the base search.

index=wineventlog host="myhost" EventCode=7036 Message IN ("*WMI*" "*WinHTTP*")

Another is to combine the regular expressions into a single regex command.

index=wineventlog host="myhost" EventCode=7036 | regex Message!="(WMI)|(WinHTTP)"

Yet another is to extract the desired strings and then filter on them.

index=wineventlog host="myhost" EventCode=7036 
| rex field=Message "(?<msg>WMI)" 
| rex field=Message "(?<msg>WinHTTP)"
| where isnotnull(msg)
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...