Splunk® Cloud Services

SPL2 Search Reference

rex command examples

The following are examples for using the SPL2 rex command.

1. Use a <sed-expression> to mask values

Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string to preserve privacy. In this example the first 3 sets of numbers for a credit card are masked. The \d must be escaped in the expression using a back slash ( \ ) character.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

2. Regular expressions with character classes

In this example, the clientip field contains IP addresses. You want to extract the IP class from the IP address. However, the expression uses the character class \d. You can specify the expression in one of two ways.

You can escape the backslash character by enclosing the string in quotation marks and adding another backslash to the character class, as shown in this example:

... | rex field=clientip "(?<ipclass>\\d+)"

You can use a forward slash ( / ), instead of quotation marks, to enclose the expression that contains a character class. Here's an example:

... | rex field=clientip /(?<ipclass>\d+)/

Either method returns a field called ipclass that contains the class portion of the IP address.

3. Pipeline examples

These examples show how to use the rex command in a pipeline.

Use regular expressions in pipelines to extract HTTP status codes

The following example used the rex command and a named capture group to create a pipeline that extracts HTTP status codes from the event body into a field named httpcode: 

$pipeline = | from $source
rex field=_raw /(?P<httpcode>[1-5][0-9][0-9])/
| into $destination

Use regular expressions in pipelines to extract log messages numbers

This example extracts the log message number to a field named msg_num. The _raw field is dropped and the data is sent to an index named cisco_msg_num. 

$pipeline = | from $source
| rex field=_raw /(?P<msg_num>(%ASA|%FTD)-\d+-\d+)/
| fields - _raw
| eval index="cisco_msg_num"
| into $destination

Use regular expressions in pipelines to extract fields

If the data values that you want to filter aren't stored in event fields, you can extract those values into fields by using the rex command.

The following example shows how to extract the type of payment method, either Credit Card or Game Card, and place those values into a field named card_type. Then the pipeline filters to return only the events where the card_type is Credit Card. The pipeline then replaces the credit card number with the string "<redacted>". 

$pipeline = | from $source
| rex field=_raw /(?P<card_type>(Credit Card|Game Card))/
| where card_type = "Credit Card"
| eval _raw=replace(_raw, /[1-5][0-9]{15}/i, "<redacted>")
| into $destination

See also

rex command
rex command overview
rex command syntax details
rex command usage
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual
Last modified on 27 August, 2024
rex command usage   route command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters