how to use OR in the field extract

perlish · ‎10-03-2012

hi, i want extract a field like this.
User xuy on SCVPN LGSSLVPN logs on from
authentication response to L2TPD module for user xuy

these are two logs, I want extract LGSSLVPN or L2TPD

I use "(?i) authentication response to |(?i) User .* on SCVPN (?P<FIELDNAME>[^ ]+)"
but it's wrong.

lguinn2 · ‎10-03-2012

There are a couple of ways to do this. The easiest is to split it into two field extractions that just happen to extract the same field name.

If you are extracting in props.conf, it would look like this:

[yoursourcetypehere]
EXTRACT-e1=(?i) authentication response to (?P<FIELDNAME>\S+)
EXTRACT-e2=(?i) User .* on SCVPN (?P<FIELDNAME>\S+)

Notice that I also simplified your [^ ]+ to \S, which means "one or more non-whitespace characters".

The (?i) means "case insensitive search" so I don't know if you actually need that either.

If you are extracting using the rex command, you can simply string two rex commands together.

yoursearchhere 
| rex "(?i) authentication response to (?P<FIELDNAME>\S+)" 
| rex "(?i) User .* on SCVPN (?P<FIELDNAME>\S+)"
| stats or whatever you want to do here

But if you truly must combine it into one icky regular expression, this should work:

(?i) (?:authentication response to |User .* on SCVPN )(?P<FIELDNAME>[^ ]+)

perlish · ‎10-03-2012

yes, it has solve my issue, thank you.

how to use OR in the field extract

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM