Splunk® Cloud Services

SPL2 Search Reference

rex command examples

The following are examples for using the SPL2 rex command.

1. Use a <sed-expression> to mask values

Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string to preserve privacy. In this example the first 3 sets of numbers for a credit card are masked. The \d must be escaped in the expression using a back slash ( \ ) character.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

2. Regular expressions with character classes

In this example, the clientip field contains IP addresses. You want to extract the IP class from the IP address. However, the expression uses the character class \d. You can specify the expression in one of two ways.

You can escape the backslash character by enclosing the string in quotation marls and adding another backslash to the character class, as shown in this example:

... | rex field=clientip "(?<ipclass>\\d+)"

You can use a forward slash ( / ), instead of quotation marks, to enclose the expression that contains a character class. Here's an example:

... | rex field=clientip /(?<ipclass>\d+)/

Either method returns a field called ipclass that contains the class portion of the IP address.

See also

rex command
rex command overview
rex command syntax details
rex command usage
Last modified on 31 January, 2024
rex command usage   route command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters