erex command to extract data from a field when you do not know the regular expression to use. The command automatically extracts field values that are similar to the example values you specify.
If you specify a
field argument, the values extracted from the
fromfield argument are saved to the
field. Otherwise, the search returns a regular expression that you can then use with the rex command to extract the field.
erex [<field>] examples=<string> [counterexamples=<string>] [fromfield=<field>] [maxtrainers=<int>]
- Syntax: examples=<string>,<string>...
- Description: A comma separated list of example values for the information to extract and save into a new field. Use quotation marks around the list if the list contains spaces. For example:
"port 3351, port 3768".
- Syntax: counterexamples=<string>,<string>,...
- Description: A comma-separated list of example values that represent information not to be extracted.
- Syntax: <string>
- Description: A name for a new field that will take the values extracted from
fromfield. If field is not specified, values are not extracted, but the resulting regular expression is generated and placed as a message under the Jobs menu in Splunk Web. That regular expression can then be used with the
rexcommand for more efficient extraction.
- Syntax: fromfield=<field>
- Description: The name of the existing field to extract the information from and save into a new field.
- Syntax: maxtrainers=<int>
- Description: The maximum number values to learn from. Must be between 1 and 1000.
- Default: 100
The values specified in the
counterexample arguments must exist in the events that are piped into the
erex command. If the values do not exist, the command fails.
To make sure that the
erex command works against your events, first run the search that returns the events you want without the
erex command. Then copy the field values that you want to extract and use those for the
example values with the
Extracts out values like "7/01" and "7/02", but not patterns like "99/2", putting extractions into the "monthday" attribute.
... | erex monthday examples="7/01, 07/02" counterexamples="99/2"
Extracts out values like "7/01", putting them into the "monthday" attribute.
... | erex monthday examples="7/01"
Example 3: Display ports for potential attackers. First, run the search for these potential attackers to find example port values. Then, use
erex to extract the port field.
sourcetype=secure* port "failed password" | erex port examples="port 3351, port 3768" | top port
This search returns a table with the count of top ports that match the search. Also, find the regular expression generated under the Jobs menu.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the erex command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3