> payload /.*(abc) | (xyz).*/ > ... > Is there anything wrong in writing the 'OR' condition? Yes, this should be written instead as: payload /.*(abc)|(xyz).*/ Or, if you want to match "abc" or "xyz" anywhere in the payload, as: payload /.*(abc|xyz).*/ - Vern