You can merge the two regex strings together for this rex field=msg "BAN: (?<BAN>\w+)" - space between colon and var value rex field=msg ",ban:(?<BAN>\w+)" - prefixed comma, no space between colon and var value can just become rex field=msg "(BAN|,ban): ?(?<BAN>'w+)" The first part is a grouped OR statement specifying that the string must be either BAN or ,ban. The second change is the ? after space. this indicates the space is optional. Please make sure, however, that this pattern does in fact work with your data and I would advise running a test set in something like regex101
... View more