Splunk Search

how to use OR in the field extract


hi, i want extract a field like this.
User xuy on SCVPN LGSSLVPN logs on from
authentication response to L2TPD module for user xuy

these are two logs, I want extract LGSSLVPN or L2TPD

I use "(?i) authentication response to |(?i) User .* on SCVPN (?P<FIELDNAME>[^ ]+)"
but it's wrong.

Tags (2)
0 Karma


There are a couple of ways to do this. The easiest is to split it into two field extractions that just happen to extract the same field name.

If you are extracting in props.conf, it would look like this:

EXTRACT-e1=(?i) authentication response to (?P<FIELDNAME>\S+)
EXTRACT-e2=(?i) User .* on SCVPN (?P<FIELDNAME>\S+)

Notice that I also simplified your [^ ]+ to \S, which means "one or more non-whitespace characters".

The (?i) means "case insensitive search" so I don't know if you actually need that either.

If you are extracting using the rex command, you can simply string two rex commands together.

| rex "(?i) authentication response to (?P<FIELDNAME>\S+)" 
| rex "(?i) User .* on SCVPN (?P<FIELDNAME>\S+)"
| stats or whatever you want to do here

But if you truly must combine it into one icky regular expression, this should work:

(?i) (?:authentication response to |User .* on SCVPN )(?P<FIELDNAME>[^ ]+)


yes, it has solve my issue, thank you.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...