pySigma-backend-loki icon indicating copy to clipboard operation
pySigma-backend-loki copied to clipboard

Published 20 hours ago verified publisher icon grafana

Attempt to shorten OR'd field regexes into a single condition

Open kelnage opened this issue 2 years ago • 0 comments

When a query contains multiple OR'd regular expressions, each testing the same field for similar strings (i.e., (fieldA=~"abc" OR fieldA=~"abd" OR fieldA=~"abe"), we could generate a shorter/easier to read (and possibly better performance?) query if we combined them into a single regex using brackets and vertical bars - especially if a common substring from each pattern could be extracted (i.e., fieldA=~"ab(c|d|e)" achieves the same outcome and is much easier to read).

kelnage avatar Mar 13 '23 10:03 kelnage