regex
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
regex
Synopsis
Removes results that do not match the specified regular expression.
Syntax
regex field( = | != )regex-expression
Arguments
- field
- Syntax: <field>
- Description: Specify the field name from which to match the values against the regular expression.
- = | !=
- Description: Matches the value of the field against the unanchored regex and only keeps those events that match in the case of '=' or do not match in the case of '!='.
- regex-expression
- Syntax "<string>"
- Description: A Perl Compatible Regular Expression supported by the PCRE library.
Description
Removes results that do not match the specified regular expression. You can specify for the regex to keep results that match the expression, or to keep those that do not match.
Note: If you want to use the "or" ("|") command in a regex argument, the whole regex expression must be surrounded by quotes (ie. regex "expression").
Examples
Example 1: Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8).
... | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"Example 2: Example usage
... | regex _raw="(?=!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"Example 3: Example usage
... | regex _raw="complicated|regex(?=expression)"See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.