Thanks, I just tried exactly what you posted...

REGEX = (service=53\\||service=5101\\|)

with 2 backslashes and it worked.

Thanks!!

I can understand your concern, because I have seen that happen. Have you tried including the |?
REGEX = (service=53\||service=5101\|)

Service=5101:

loc=612777|time=21Aug2013 9:33:46|action=accept|orig=10.10.10.10|i/f_dir=inbound|i/f_name=eth1-03|has_accounting=0|rule_name=DC-Srv Internet Rule|service_id=Test922-Range|src=10.10.10.10|s_port=45606|dst=10.10.10.10|service=5101|proto=tcp|xlatesrc=10.10.10.10|xlatesport=39439|xlatedport=0|NAT_rulenum=244|NAT_addtnl_rulenum=1host=splk-01 Options|

sourcetype=opsec Options|

source=/data/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA Options|

service_id=Test922-Range Options|

service=5101 Options|

xlatesrc=10.10.10.10

Well, there are 2 events (one contains service=53 and the other contains service=5101). And REGEX = (service=53|service=5101) actually works but I want to make sure that I'm not matching on service = 53XXX or 5101XXX etc. as well.

Sanitized events:

Service=53:

loc=561586|time=21Aug2013 9:30:16|action=accept|orig=10.10.10.10|i/f_dir=inbound|i/f_name=eth1-03|has_accounting=0|rule_name=DC-Srv Internet Rule|service_id=domain-udp|src=10.10.10.10|s_port=16478|dst=10.10.10.10|service=53|proto=udp|xlatesrc=10.10.10.10|xlatesport=59903|xlatedport=0|NAT_rulenum=244|NAT_addtnl_rulenum=1

Can you post the event that contains what you want to extract?
The $ is actually 'end of line' not end of string (I think).

I've tried that before and used the $ like this:

REGEX = (service=53$|service=5101$)

But this didn't work and actually stopped matching both 53 and 5101.

The $ is used to mark the end of the value.