I’m currently working on creating a query to generate a meaningful report from snort logs. For help I’m using the Grafana visual editor but I’m not opposed to direct query editing.
What I would like to do is have one query which returns lines where one label filter OR another label filter matches.
With Grafana I constructed this query so far:
{job="defiant", appname="snort"} | pattern `[<gid>:<sid>:<rev>] "<class> <message>" [Classification: <classification>] [Priority: <priority>] {<proto>} <src>:<spt> -> <dst>:<dpt>` | classification =~ `.*(Attempt|Attack).*`
What I would like to have is return the line if
classification =~ `.*(Attempt|Attack).*`
OR
message =~ `.*Attack.*`
Is there a way to do that in a single query?