Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-28-2024 02:40 AM
Hi
I want to use or operator in XQL regextraxt but the following command does not work. Can you help us.
Thank you.
|alter etki=regextract(message ,"Etki\sAlanı\sAdı\:\s+([^\n\r]+) | Domain\sName\:\s+([^\n\r]+)")
04-01-2024 11:53 AM
Hi @AtilaTasli, thanks for reaching us using the Live Community.
Please remove the whitespaces at each side of the "|" character and try again.
If this post answers your question, please mark it as the solution.
04-01-2024 12:20 PM
Hi Jmazzeo,
Thank you for your response. But When I do as you specified in XQL, I get "
Could not be executed because your query is invalid." error.
My XQL query
dataset =microsoft_windows_raw
|alter etki=regextract(message ,"Etki\sAlanı\sAdı\:\s+([^\n\r]+)|Domain\sName\:\s+([^\n\r]+)")
In our event logs, we will use the logs we receive from Turkish and English operating systems in correlations. This "OR" operator will make our job really easy.
I can get the result I need with the query below, but I need to write a lot of code.
dataset =microsoft_windows_raw
|change domain1=arrayindex(regextract(message , "Domain\sArea\sName\:\s+([^\n\r]+)"),0 )
|change domain2=arrayindex(regextract(message , "Domain\sName\:\s+([^\n\r]+)"),0)
|alter final_domain_name=
if (domain1!= "",
domain1,
domain2 )
|limit 100
|fields final_domain_name ,*
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
