Search Reference



NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.



Specifies a Perl regular expression named groups to extract fields while you search.


rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)

Required arguments

Syntax: field=<field>
Description: The field that you want to extract information from. Defaults to _raw
Syntax: "<string>"
Description: A Perl Compatible Regular Expression supported by the PCRE library. Quotes are required.
Syntax: "<string>"
Description: Use Unix sed syntax to replace strings or substitute characters. For more information, see Anonymize data in the Getting Data In manual. Quotes are required.

Optional arguments

Syntax: max_match=<int>
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
Syntax: mode=sed
Description: Indicate that you are using a sed expression.


Matches the value of the field against the unanchored regex and extracts the Perl regex named groups into fields of the corresponding names. When mode=sed, the given sed expression will be applied to the value of the chosen field (or to _raw if a field is not specified). If a field is not specified, applying the regex to the _raw field may have a performance impact.


Example 1: Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

Example 2: Extract "user", "app" and "SavedSearchName" from a field called "savedsearch_id" in scheduler.log events. If savedsearch_id=bob;search;my_saved_search then user=bob , app=search and SavedSearchName=my_saved_search

... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"

Example 3: Use sed syntax to match the regex to a series of numbers and replace them with an anonymized string.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

See also

extract, kvform, multikv, xmlkv, regex

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


From my experience in a scheduled search that has the "run a script" alert reaction configured the term<br />rex field=_raw "From: (?.*) To: (?.*)"<br />causes an error.<br />From splukd.log: ERROR ScriptRunner - stderr from '{installpath}\Splunk\etc\apps\search\bin\': IOError: [Errno 22] Invalid argument<br />This seems to be connected with the quotation marks around the regular expression.<br />There are examples with and without quotation marks in this documentation.<br />Would you please document in which occasions the quotation marks are neccessary and when they are not recommended?<br />Thank you.

February 6, 2013

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!