SPL2 and regular expressions
Splunk Search Processing Language (SPL) regular expressions are Perl Compatible Regular Expressions (PCRE).
You can use regular expressions with the rex command, and with the
replace evaluation functions. See the Quick Reference for SPL2 eval functions in the SPL2 Search Reference.
Here are a few things that you should know about using regular expressions in SPL searches.
A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.
Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:
...|regex "expression | with pipe"
This is interpreted by SPL as a search for the text "expression" OR "with pipe".
The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying
\. in your regular expression.
Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.
Searches that include a regular expression that contains a double backslash, such as in a filepath like
c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as
c:\temp, one of the backslashes is removed.
You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example:
c:\\\\temp. For a longer filepath, such as
c:\\temp\example, you would specify
c:\\\\temp\\example in your regular expression in the search string.
- Related information
- About Splunk and regular expressions
About Splunk regular expressions
Built-in and custom functions
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!