Search Reference

 


rex

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

rex

Synopsis

Specifies a Perl regular expression named groups to extract fields while you search.

Syntax

rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)

Required arguments

field
Syntax: field=<field>
Description: The field that you want to extract information from. Defaults to _raw
regex-expression
Syntax: "<string>"
Description: A Perl Compatible Regular Expression supported by the PCRE library. Quotes are required.
sed-expression
Syntax: "<string>"
Description: Use Unix sed syntax to replace strings or substitute characters. For more information, see Anonymize data in the Getting Data In manual. Quotes are required.

Optional arguments

max_match
Syntax: max_match=<int>
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
mode
Syntax: mode=sed
Description: Indicate that you are using a sed expression.

Description

Matches the value of the field against the unanchored regex and extracts the Perl regex named groups into fields of the corresponding names. When mode=sed, the given sed expression will be applied to the value of the chosen field (or to _raw if a field is not specified). If a field is not specified, applying the regex to the _raw field may have a performance impact.

Examples

Example 1: Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

Example 2: Extract "user", "app" and "SavedSearchName" from a field called "savedsearch_id" in scheduler.log events. If savedsearch_id=bob;search;my_saved_search then user=bob , app=search and SavedSearchName=my_saved_search

... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"

Example 3: Use sed syntax to match the regex to a series of numbers and replace them with an anonymized string.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

See also

extract, kvform, multikv, xmlkv, regex

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


Comments

From my experience in a scheduled search that has the "run a script" alert reaction configured the term
rex field=_raw "From: (?.*) To: (?.*)"
causes an error.
From splukd.log: ERROR ScriptRunner - stderr from '{installpath}\Splunk\etc\apps\search\bin\runshellscript.py': IOError: [Errno 22] Invalid argument
This seems to be connected with the quotation marks around the regular expression.
There are examples with and without quotation marks in this documentation.
Would you please document in which occasions the quotation marks are neccessary and when they are not recommended?
Thank you.

MelanieSchmidt
February 6, 2013

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!