https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582276#M6446 <P>Hi Jmazzeo,</P> <P>Thank you for your&nbsp;response. But&nbsp; When I do as you specified in XQL, I get "<BR />Could not be executed because your query is invalid." error.</P> <P>&nbsp;</P> <P>My XQL query&nbsp;</P> <P>dataset =microsoft_windows_raw<BR />|alter etki=regextract(message ,"Etki\sAlanı\sAdı\:\s+([^\n\r]+)|Domain\sName\:\s+([^\n\r]+)")</P> <P>&nbsp;</P> <P>In our event logs, we will use the logs we receive from Turkish and English operating systems in correlations. This "OR" operator will make our job really easy. <BR />I can get the result I need with the query below, but I need to write a lot of code.</P> <P>dataset =microsoft_windows_raw</P> <P>|change domain1=arrayindex(regextract(message , "Domain\sArea\sName\:\s+([^\n\r]+)"),0 ) <BR />|change domain2=arrayindex(regextract(message , "Domain\sName\:\s+([^\n\r]+)"),0)<BR /><BR />|alter final_domain_name= <BR />if (domain1!= "", <BR />domain1,<BR />domain2 )</P> <P>|limit 100<BR />|fields final_domain_name ,*</P> Mon, 01 Apr 2024 19:20:02 GMT AtilaTasli 2024-04-01T19:20:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582018#M6444 <P>Hi</P> <P>I want to use or operator in XQL regextraxt but the following command does not work. Can you help us.<BR />Thank you.</P> <P>|alter etki=regextract(message ,"Etki\sAlanı\sAdı\:\s+([^\n\r]+) | Domain\sName\:\s+([^\n\r]+)")</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 28 Mar 2024 09:40:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582018#M6444 AtilaTasli 2024-03-28T09:40:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582269#M6445 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/331889">@AtilaTasli</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>Please remove the whitespaces at each side of the "|" character and try again.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Mon, 01 Apr 2024 18:53:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582269#M6445 jmazzeo 2024-04-01T18:53:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582276#M6446 <P>Hi Jmazzeo,</P> <P>Thank you for your&nbsp;response. But&nbsp; When I do as you specified in XQL, I get "<BR />Could not be executed because your query is invalid." error.</P> <P>&nbsp;</P> <P>My XQL query&nbsp;</P> <P>dataset =microsoft_windows_raw<BR />|alter etki=regextract(message ,"Etki\sAlanı\sAdı\:\s+([^\n\r]+)|Domain\sName\:\s+([^\n\r]+)")</P> <P>&nbsp;</P> <P>In our event logs, we will use the logs we receive from Turkish and English operating systems in correlations. This "OR" operator will make our job really easy. <BR />I can get the result I need with the query below, but I need to write a lot of code.</P> <P>dataset =microsoft_windows_raw</P> <P>|change domain1=arrayindex(regextract(message , "Domain\sArea\sName\:\s+([^\n\r]+)"),0 ) <BR />|change domain2=arrayindex(regextract(message , "Domain\sName\:\s+([^\n\r]+)"),0)<BR /><BR />|alter final_domain_name= <BR />if (domain1!= "", <BR />domain1,<BR />domain2 )</P> <P>|limit 100<BR />|fields final_domain_name ,*</P> Mon, 01 Apr 2024 19:20:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-use-to-or-operator-in-the-regextract/m-p/582276#M6446 AtilaTasli 2024-04-01T19:20:02Z