regex
regex
Synopsis
Removes results that do not match the specified regular expression.
Syntax
regex <field>( = | != )<regex-expression>
Required arguments
- field
- Syntax: <field>
- Description: Specify the field name from which to match the values against the regular expression.
- = | !=
- Description: Matches the value of the field against the unanchored regex and only keeps those events that match in the case of '=' or do not match in the case of '!='.
- regex-expression
- Syntax "<string>"
- Description: A Perl Compatible Regular Expression supported by the PCRE library.
Description
Removes results that do not match the specified regular expression. You can specify for the regex to keep results that match the expression, or to keep those that do not match.
Note: If you want to use the "or" ("|") command in a regex argument, the whole regex expression must be surrounded by quotes (ie. regex "expression").
Examples
Example 1: Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8).
... | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"Example 2: Example usage
... | regex _raw="(?=!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"Example 3: Example usage
... | regex _raw="complicated|regex(?=expression)"See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the regex command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.
how to make it case insensitive?