How to match keywords to identify in a field using regex.
Our requirement is to capture the keywords that are (Liquor OR Casino OR Gambling OR Adult) which comes in a field.
Try this. To extract a new field with the keyword and filter events where these keywords are present
index=foo sourcetype=bar (Liquor OR Casino OR Gambling OR Adult) | rex field=_raw "(?<somefield>(Liquor|Casino|Gambling|Adult))"