Documentation > Splunk > Search Reference > regex

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

regex

Contents

regex

Synopsis

Removes or keeps results that match the specified regular expression.

Syntax

regex <field>=<regex-expression> | <field>!=<regex-expression> | <regex-expression>

Required arguments

<regex-expression>
Syntax: "<string>"
Description: A Perl Compatible Regular Expression supported by the PCRE library. Quotes are required.

Optional arguments

<field>
Syntax: <field>
Description: Specify the field name from which to match the values against the regular expression. If no field is specified, the match is against "_raw".

Description

The regex command removes results that do not match the specified regular expression. You can specify for the regex to keep results that match the expression (field=regex-expression) or to keep those that do not match (field!=regex-expression).

Note: If you want to use the "OR" ("|") command in a regex argument, the whole regex expression must be surrounded by quotes (that is, regex "expression").

Examples

Example 1: Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8).

... | regex _raw="(?=!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"

Example 2: Example usage

... | regex _raw="complicated|regex(?=expression)"

See also

rex, search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the regex command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Regex"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


Comments

Thanks for pointing that out, Daniel333. The "3" was a typo. We've fixed it.

Cgales splunk, Splunker
March 20, 2013

Example 1 and 3. Where is 2?

Daniel333
March 20, 2013

the syntax indicates that regex can be used without specifiying field name, which I dont think is correct

Syntax

regex = | != |

I interperate the above as:
args to regex are:
field equals regex-expression OR field NOT equal to regex-expression OR regex-expression


is the syntax correct? if so why can I not do?:
regex

I get the following error message:
Error in 'SearchOperator:regex': Usage: regex (=|!=)

Jguarini
January 11, 2013

For case insensitivity use (?i) before an expression.

Cschmidt0121
December 19, 2012

Case insensitive for the word cat....

[Cc][Aa][Tt]

will match cAt, CAT, cat, CaT ..... and onward with all permutations.

Paul.hignutt
October 17, 2012

how to make it case insensitive?

FRoth
February 13, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!