Alternatives Group

( matcher_expr | matcher_expr | … )

Alternatives group applies matcher expressions in the order they are defined (from left to right). It stops at the first match found (i.e it uses so-called lazy match strategy) and its value is extracted (if the expression has an export name assigned). Other exported matcher fields in resultset will be assigned to NULL.

When alternatives group itself is exported, then its field will have matching member value converted to STRING (or the empty string if none matched).

output type:



not allowed


charset = character set name enclosed in single or double quotes (for example charset="ISO-8859-1")

locale = string specifying IETF BCP 47 language tag enclosed in single or double quotes (see the list here ). The default locale is English.

Alternatives group comes handy when data in the same position may be of a different type. A good example is Apache webserver access log where the first field in the record may be an IP-address or hostname.

Example: Parsing an IP-address or hostname:


(IPADDR:ip | LD:host):alt_grp EOL;

Parsing results in IPADDR field ip being evaluated to for data on line 1 and NULL for the line 2. STRING field host is evaluated oppositely. The STRING field alt_grp, exported by alternative group, has non-NULL value for data in both lines.

ip host alt_grp _unmatched NULL NULL