SPL2 and regular expressions
Splunk Search Processing Language (SPL) regular expressions are Perl Compatible Regular Expressions (PCRE).
Here are a few things that you should know about using regular expressions in SPL searches.
A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.
Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:
...|regex "expression | with pipe"
This is interpreted by SPL as a search for the text "expression" OR "with pipe".
The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying
\. in your regular expression.
Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.
Searches that include a regular expression that contains a double backslash, such as in a filepath like
c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as
c:\temp, one of the backslashes is removed.
You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example:
c:\\\\temp. For a longer filepath, such as
c:\\temp\example, you would specify
c:\\\\temp\\example in your regular expression in the search string.
- Related information
- About Splunk and regular expressions
About Splunk regular expressions
Built-in and custom functions
This documentation applies to the following versions of Splunk® Cloud Services: current