Splunk® Enterprise

Search Reference

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.



Specifies a Perl regular expression named groups to extract fields while you search.


rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)

Required arguments

Syntax: field=<field>
Description: The field that you want to extract information from. Defaults to _raw
Syntax: "<string>"
Description: A Perl Compatible Regular Expression supported by the PCRE library. Quotes are required.
Syntax: "<string>"
Description: Use Unix sed syntax to replace strings or substitute characters. For more information, see Anonymize data in the Getting Data In manual. Quotes are required.

Optional arguments

Syntax: max_match=<int>
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
Syntax: mode=sed
Description: Indicate that you are using a sed expression.


Matches the value of the field against the unanchored regex and extracts the Perl regex named groups into fields of the corresponding names. When mode=sed, the given sed expression will be applied to the value of the chosen field (or to _raw if a field is not specified). If a field is not specified, applying the regex to the _raw field may have a performance impact.


Example 1: Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

Example 2: Extract "user", "app" and "SavedSearchName" from a field called "savedsearch_id" in scheduler.log events. If savedsearch_id=bob;search;my_saved_search then user=bob , app=search and SavedSearchName=my_saved_search

... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"

Example 3: Use sed syntax to match the regex to a series of numbers and replace them with an anonymized string.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

See also

extract, kvform, multikv, xmlkv, regex


This documentation applies to the following versions of Splunk: 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7 View the Article History for its revisions.


From my experience in a scheduled search that has the "run a script" alert reaction configured the term<br />rex field=_raw "From: (?.*) To: (?.*)"<br />causes an error.<br />From splukd.log: ERROR ScriptRunner - stderr from '{installpath}\Splunk\etc\apps\search\bin\runshellscript.py': IOError: [Errno 22] Invalid argument<br />This seems to be connected with the quotation marks around the regular expression.<br />There are examples with and without quotation marks in this documentation.<br />Would you please document in which occasions the quotation marks are neccessary and when they are not recommended?<br />Thank you.

February 6, 2013

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters