rex
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
rex
Synopsis
Specifies a Perl regular expression named groups to extract fields while you search.
Syntax
rex [field=field] (regex-expression max_match=<int>| mode=sed sed-expression)
Arguments
- field
- Syntax: field=<field>
- Description:
- regex-expression
- Syntax: <string>
- Description: A Perl Compatible Regular Expression supported by the PCRE library.
- max_match
- Syntax: max_match=<int>
- Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1.
- sed-expression
- Syntax: <string>
- Description: Use Unix sed syntax to replace strings or substitute characters. For more information, see Anonymize data with sed in the Admin manual.
Description
Matches the value of the field against the unanchored regex and extracts the Perl regex named groups into fields of the corresponding names. If mode is set to 'sed' the given sed expression will be applied to the value of the chosen field (or to _raw if a field is not specified).
Examples
Example 1: Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"Example 2: Use sed syntax to match the regex to a series of numbers and replace them with an anonymized string.
... | rex mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"See also
extract, kvform, multikv, xmlkv, regex
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.