Solved: Re: Match using OR statement

rlautman · ‎07-25-2013

In in my host field I have several different addresses, 4 of these addresses are from Location1 and the rest are from Location2. I have constructed the below query to look for the matching addresses within the host fields and assign Location1 to those that match. I can't seem to look for the addresses I want to find in one match statement and the results from the query below, although correct, are a bit messy. Is is possible to use an OR statement within a match or is there another way of going about this?

index=serverapps | eval Loc=if((match(host,"12.34.56.78*")),"Location1","Location2") | eval Loc1=if((match(host,"12.345.67.*")),"Location1","Location2") | stats count by host,Loc,Loc1

reed_kelly · ‎07-25-2013

Match uses PCRE, so you have to escape "." as 1\.2\.3\.4, and you can use the | character as an OR operation:

match(host, "1\.2\.3\.4|5\.6\.7\.8")

View solution in original post

reed_kelly · ‎07-25-2013

Match uses PCRE, so you have to escape "." as 1\.2\.3\.4, and you can use the | character as an OR operation:

match(host, "1\.2\.3\.4|5\.6\.7\.8")

rlautman · ‎07-26-2013

This has worked a treat, thanks

linu1988 · ‎07-25-2013

why not use a lookup, that will be easy and will be reliable with more results coming in future. You can also use CASE for this as well.

Match using OR statement

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?