SPL and regular expressions
Splunk regular expressions are PCRE (Perl Compatible Regular Expressions).
Here are a few things that you should know about using regular expressions in Splunk searches.
A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.
Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:
...|regex "expression | with pipe"
This is interpreted by SPL as a search for the text "expression" OR "with pipe".
The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying
\. in your regular expression.
Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.
Searches that include a regular expression that contains a double backslash encounters a double backslash, such as in a filepath like
c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as
c:\temp, one of the backslashes is removed.
You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example:
c:\\\\temp. For a longer filepath, such as
c:\\temp\example, you would specify
c:\\\\temp\\example in your regular expression in the search string.
More about regular expressions
For more information:
Use CASE() and TERM() to match phrases
About search optimization
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3