Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

rex command usage

Pipe characters

A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.

Because pipe characters are used to separate commands in SPL2, you must enclose a regular expression that uses the pipe character in double quotation marks. For example:

...| rex "expression | with pipe"

This is interpreted by SPL2 as a search for the text "expression" OR "with pipe".

Backslash characters

The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying . in your regular expression.

Splunk SPL2 uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.

Searches that include a regular expression that contains a double backslash encounters a double backslash, such as in a filepath like c:\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as c: emp, one of the backslashes is removed.

You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example: c:\\temp. For a longer filepath, such as c:\tempexample, you would specify c:\\temp\example in your regular expression in the search string.

Sed expression

When using the rex command in sed mode, you have two options: replace (s) or character substitution (y).

The syntax for using sed to replace (s) text in your data is: s/<regex>/<replacement>/<flags>

  • <regex> is a PCRE regular expression, which can include capturing groups.
  • <replacement> is a string to replace the regex match. Use n for backreferences, where "n" is a single digit.
  • <flags> can be either: g to replace all matches, or a number to replace a specified match.

The syntax for using sed to substitute characters is: y/<string1>/<string2>/

  • This substitutes the characters that match <string1> with the characters in <string2>.

Differences between SPL and SPL2

Support for raw string literals

New in SPL2 is support for raw string literals.

Options must be specified before the expressions

The field option must be specified before the <regex-expression> or <sed-expression> argument.

Version Example Example
SPL ...rex "From: (?<from>.*) To: (?<to>.*)" field=myfield ...rex "From: (?<from>.*) To: (?<to>.*)" max_match=10 offset_field=newofield
SPL2 ...rex field=myfield "From: (?<from>.*) To: (?<to>.*)" ...rex max_match=10 offset_field=newofield "From: (?<from>.*) To: (?<to>.*)"

The max_match and offset_field options must be specified before the <regex-expression> argument.

Version Example
SPL ...rex "From: (?<from>.*) To: (?<to>.*)" max_match=10 offset_field=newofield
SPL2 ...rex max_match=10 offset_field=newofield "From: (?<from>.*) To: (?<to>.*)"

The mode option must be specified before the <sed-expression> argument.

Version Example
SPL ...rex field=ccnumber "s/(d{4}-){3}/XXXX-XXXX-XXXX-/g" mode=sed
SPL2 ...rex field=ccnumber mode=sed "s/(d{4}-){3}/XXXX-XXXX-XXXX-/g"


See also

rex command
rex command overview
rex command syntax details
rex command examples
Last modified on 20 October, 2020
PREVIOUS
rex command syntax details
  NEXT
rex command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters