Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

rex command usage

SPL2 supports perl-compatible regular expressions (PCRE) for regular expressions.

The Edge Processor solution, which uses the rex command, supports Regular Expression 2 (RE2) syntax instead of PCRE syntax. See rex command syntax details.

Pipe characters

A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.

Because pipe characters are used to separate commands in SPL2, you must enclose a regular expression that uses the pipe character in double quotation marks. For example:

...| rex "expression | with pipe"

This is interpreted by SPL2 as a search for the text "expression" OR "with pipe".

Escaping characters with backslashes

The backslash ( \ ) character is used to ignore, or escape, most special characters in regular expressions.

Character classes and string expressions

Regular expressions that include a character class, such as \d or \w, can be specified using one of two methods. The following table describes the methods and shows an example:

Description Example
Enclose the string expression in quotation marks and escape the backslash character in the character class.

...rex field=clientip "(?<ipclass>\\d+)"

Enclose the string expression in forward ( / ) slashes. You don't need to escape the backslash character in the character class.

...rex field=clientip /(?<ipclass>\d+)/

Period characters

The period ( . ) character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying \. in your regular expression.

Asterisk characters

The asterisk ( * ) character is a reserved character in SPL2 and can't be escaped. SPL2 uses the asterisk as a wildcard character.

Double backslash characters

When a search includes a regular expression that contains a double backslash, for example to represent a file path like c:\\temp, the search interprets the first backslash as an escape character. The file path is interpreted as c:\temp. One of the backslashes is removed.

You must escape both backslash characters in a file path by specifying 4 consecutive backslashes for the root portion of the file path. For example: c:\\\\temp. For a longer file path, such as c:\\temp\example, you would specify c:\\\\temp\\example in your regular expression.

Sed expression

When using the rex command in sed mode, you have two options: replace (s) or character substitution (y).

The syntax for using sed to replace (s) text in your data is: s/<regex>/<replacement>/<flags>

  • <regex> is a PCRE regular expression, which can include capturing groups.
  • <replacement> is a string to replace the regex match. Use n for backreferences, where "n" is a single digit.
  • <flags> can be either: g to replace all matches, or a number to replace a specified match.

The syntax for using sed to substitute characters is: y/<string1>/<string2>/

  • This substitutes the characters that match <string1> with the characters in <string2>.

Differences between SPL and SPL2

Support for raw string literals

New in SPL2 is support for raw string literals.

Options must be specified before the expressions

The field option must be specified before the <regex-expression> or <sed-expression> argument.

Version Example Example
SPL ...rex "From: (?<from>.*) To: (?<to>.*)" field=myfield ...rex "From: (?<from>.*) To: (?<to>.*)" max_match=10 offset_field=newofield
SPL2 ...rex field=myfield "From: (?<from>.*) To: (?<to>.*)" ...rex max_match=10 offset_field=newofield "From: (?<from>.*) To: (?<to>.*)"

The max_match and offset_field options must be specified before the <regex-expression> argument.

Version Example
SPL ...rex "From: (?<from>.*) To: (?<to>.*)" max_match=10 offset_field=newofield
SPL2 ...rex max_match=10 offset_field=newofield "From: (?<from>.*) To: (?<to>.*)"

See also

rex command
rex command overview
rex command syntax details
rex command examples
Last modified on 08 December, 2022
rex command syntax details
rex command examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters