Solved: Pattern match on two different fields

tnkoehn · ‎11-13-2012

I am performing a search where I want to find events if one of two fields matches a specific pattern (which is the same for both fields). I've tried regex, but it doesn't seem to like an OR operator.

search traffic | transaction Acct_ID startswith="START" endswith="STOP" | regex Egress="^\w{3}\d{4}" OR regex Ingress="^\w{3}\d{4}"

Is there any way to do this?

alacercogitatus · ‎11-13-2012

I believe you are close, however since regex drops events, I'd go a different path and use some matching in eval. Try this:

search traffic | transaction Acct_ID startswith="START" endswith="STOP"| eval ematch=if(match(Egress,"^\w{3}\d{4}"),1,0)|eval imatch=if(match(Ingress,"^\w{3}\d{4}"),1,0)|where ematch>0 OR imatch>0

View solution in original post

alacercogitatus · ‎11-13-2012

I believe you are close, however since regex drops events, I'd go a different path and use some matching in eval. Try this:

search traffic | transaction Acct_ID startswith="START" endswith="STOP"| eval ematch=if(match(Egress,"^\w{3}\d{4}"),1,0)|eval imatch=if(match(Ingress,"^\w{3}\d{4}"),1,0)|where ematch>0 OR imatch>0

alacercogitatus · ‎11-13-2012

Thanks! Just doing my part to help!

Rob · ‎11-13-2012

+1 @alacercogitatus Really nice way of avoiding using the regex command and using the eval functions instead. My solutions would have been to use rex to grab things out.

tnkoehn · ‎11-13-2012

You are a rock star! Works great. Thanks!

Pattern match on two different fields

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability