rex command syntax details

Syntax

The required syntax is in bold.

rex

[field=<field>] [max_match=<int>] [offset_field=<string>]

( <regex-expression> | mode=sed <sed-expression> )

You must specify either <regex-expression> or mode=sed <sed-expression> when you use the rex command.

regex-expression: Syntax: <string>; Description: The regular expression using the perl-compatible regular expressions (PCRE) format that defines the information to match and extract from the specified field. Quotation marks are required.; The Edge Processor solution supports Regular Expression 2 (RE2) syntax instead of PCRE syntax. In particular RE2 and PCRE accept different syntax for named capture groups. See Regular expression syntax for Edge Processor pipelines in Use Edge Processors.

mode: Syntax: mode=sed; Description: Specify to indicate that you are using a sed (UNIX stream editor) expression.

sed-expression: Syntax: <string>; Description: When mode=sed, specify whether to replace strings (s) or substitute characters (y) in the matching regular expression. No other sed commands are implemented. Quotation marks are required. Sed mode supports the following flags: global (g) and Nth occurrence (N), where N is a number that is the character location in the string.

field: Syntax: field=<field>; Description: The field that you want to extract information from.; Default: _raw

max_match: Syntax: max_match=<int>; Description: Controls the number of times the regular expression is matched. If greater than 1, the resulting fields are multivalued fields. You can use 0 for unlimited matches.; Default: 1

offset_field: Syntax: offset_field=<string>; Description: If provided, a field is created with the name specified by <string>. The value of this field has the endpoints of the match in terms of zero-offset characters into the matched field. For example, if the rex expression is (?<tenchars>.{10}), this matches the first ten characters of the field, and the offset_field contents is 0-9.; Default: None