
rex command examples
The following are examples for using the SPL2 rex
command.
To learn more about the rex
command, see How the rex command works.
1. Use a <sed-expression> to mask values
Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string to preserve privacy. In this example the first 3 sets of numbers for a credit card are masked. The \d
must be escaped in the expression using a back slash ( \ ) character.
... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"
2. Regular expressions with character classes
In this example, the clientip
field contains IP addresses. You want to extract the IP class from the IP address. However, the expression uses the character class \d
. You can specify the expression in one of two ways.
You can escape the backslash character by enclosing the string in quotation marls and adding another backslash to the character class, as shown in this example:
... | rex field=clientip "(?<ipclass>\\d+)"
You can use a forward slash ( / ), instead of quotation marks, to enclose the expression that contains a character class. Here's an example:
... | rex field=clientip /(?<ipclass>\d+)/
Either method returns a field called ipclass
that contains the class portion of the IP address.
See also
PREVIOUS rex command usage |
NEXT search command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!