Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

rex command examples

The following are examples for using the SPL2 rex command. To learn more about the rex command, see How the rex command works.

1. Use a <sed-expression> to mask values

Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string to preserve privacy. In this example the first 3 sets of numbers for a credit card are masked. The \d must be escaped in the expression using a back slash ( \ ) character.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

2. Regular expressions with character classes

In this example, the clientip field contains IP addresses. You want to extract the IP class from the IP address. However, the expression uses the character class \d. You can specify the expression in one of two ways.

You can escape the backslash character by adding another backslash, as shown in this example:

... | rex field=clientip "(?<ipclass>\\d+)"

You can use a forward slash ( / ), instead of quotation marks, to enclose the expression that contains a character class. Here's an example:

... | rex field=clientip /(?<ipclass>\d+)/

Either method returns a field called ipclass that contains the class portion of the IP address.

See also

rex command
rex command overview
rex command syntax details
rex command usage
Last modified on 21 September, 2022
rex command usage
search command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters