Re: regex multiple phrases

lucychang2015 · ‎06-20-2014

I want to see if string a and string b are in the logs, but they might not be in the same event.
And I don't want to create seperate query for each string.
How do I do that?

lguinn2 · ‎06-21-2014

Well, if string a and string b are actual strings (not regular expressions), then this will work

"a" OR "b"

It would be nice to include a sourcetype, source, etc. in the above search, to make it more targeted and efficient. If the strings are regular expresssions, then use this:

yoursearchhere
| where match(_raw,"a") OR match(_raw,"b")

In this case, you will have to write some search that retrieves a set of data before applying the regular expression filter. While you could use the regex command instead of the where command, I often find this way easier. With regex, you need to write a single regular expression. Combining "a" and "b" might be difficult or hard to understand.

martin_mueller · ‎06-20-2014

I'm sure that's possible, got some sample data and desired results?

regex multiple phrases

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation