rex
rex
Synopsis
Specifies a Perl regular expression named groups to extract fields while you search.
Syntax
rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)
Required arguments
- field
- Syntax: field=<field>
- Description: The field that you want to extract information from.
- regex-expression
- Syntax: <string>
- Description: A Perl Compatible Regular Expression supported by the PCRE library.
- sed-expression
- Syntax: <string>
- Description: Use Unix sed syntax to replace strings or substitute characters. For more information, see Anonymize data in the Getting Data In manual.
Optional arguments
- max_match
- Syntax: max_match=<int>
- Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1.
Description
Matches the value of the field against the unanchored regex and extracts the Perl regex named groups into fields of the corresponding names. If mode is set to 'sed' the given sed expression will be applied to the value of the chosen field (or to _raw if a field is not specified).
Examples
Example 1: Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"Example 2: Extract "user", "app" and "SavedSearchName" from a field called "savedsearch_id" in scheduler.log events. If savedsearch_id=bob;search;my_saved_search then user=bob , app=search and SavedSearchName=my_saved_search
... | rex field=savedsearch_id (?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)Example 3: Use sed syntax to match the regex to a series of numbers and replace them with an anonymized string.
... | rex mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"See also
extract, kvform, multikv, xmlkv, regex
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.