regexes.conf - Create regular expressions for use in properties
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
regexes.conf - Create regular expressions for use in properties
These parameters let you create regular expressions that can be invoked by properties defined in props.conf to match patterns in data and meta data.
By default the regex processor won't handle multi-line events. To get around this, add (?m) before the start of the regular expression to match the preceding lines in the event.
Filename
- regexes.conf (within any subdirectory of $SPLUNK_HOME/etc/bundles/)
Format
[<regex name>] attribute1 = val1 attribute2 = val2 ...
Attributes
If the same <spec> is found in two bundle directories, the following
precedence rules apply.
- Attributes in the "local" bundle are read first.
- Attributes in other bundles except "default" are loaded in alphabetical order of bundle name.
- Attributes in the "default" bundle are read last.
Overriding is performed attribute by attribute.
- SOURCE_KEY = <string> (_raw)
Specifies which KEY in the event should be the source of the string
on which to perform the regex.
- REGEX = <regular expression> (Empty)
If set, this is the regular expression that will operate on the data.
- FORMAT = <string> ($1)
A string with arguments specified by $n, where n represents the output
of the n-th parenthesized group of the REGEX. If the regex does not have
n groups, the matching fails. The special identifier $0 represents what
was in the DEST_KEY before this regex was performed.
- DEFAULT_VALUE = <string> (Empty)
If set, and the regex fails, this value will be written to the DEST_KEY.
- DEST_KEY = <string> (<regex name>)
Specifies where the formatted result of running the regex should be stored.
Any KEY prefied by '_' will not be stored when it reaches the index.
- REPEAT_MATCH = <bool> (False)
Specifies whether the regular expression should be run several times on
the SOURCE_KEY. If set, it will start wherever the last match stopped, and
will continue until no more matches are found.
- WRITE_META = <string> (False)
Specifies that whatever was written to DEST_KEY should also be appended to
the meta data for the event.
Splunk reserved KEYs
Any KEY prefied by '_' will not be stored when it reaches the index.
- _raw
The raw text of the event.
- _done
If set to any string this is the last event in a stream.
- _meta
A space separated list of "meta data" for an event.
The meta data is displayed below the event in the GUI.
- _time
The timestamp of the event, in seconds since 1/1/1970 UTC.
- MetaData:FinalType
The event type of the event.
- MetaData:Host
The host associated with the event. The value must be prefixed by "host::"
- _MetaData:Index
The index where the event should be stored.
- MetaData:Source
The source associated with the event. The value must be prefixed by "source::"
- MetaData:Sourcetype
The sourcetype of the event. The value must be prefixed by "sourcetype::"
Examples
This creates a meta event for each IP address via regex.
[access-ip] DEST_KEY = cluster REGEX = (\d+\.\d+\.\d+\.\d+) DEFAULT_VALUE = PREPEND = ip:: WRITE_META = False
To make use of the meta events, you can Splunk for anything and add
the modifer index::metaevents. Or, if you search for two values
that are in separate events but in the same meta event (because
both events contain the same IP value), the meta event will
appear in your results as if it were a real log event.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.