Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

rex command examples

The following are examples for using the SPL2 rex command. To learn more about the rex command, see How the rex command works.

1. Use a <sed-expression>

Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string. In this example the first 3 sets of numbers for a credit card will be anonymized. The \d must be escaped in the expression using a back slash ( \ ) character.

... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"

2. Extract values from a field using a <regex-expression>

Extract "user", "app" and "SavedSearchName" from a field called "savedsearch_id" in scheduler.log events. If the contents of the field is savedsearch_id=bob;search;my_saved_search then this rex command syntax extracts user=bob, app=search, and SavedSearchName=my_saved_search.

... | rex field=savedsearch_id "(?<user>\w+);(?<app>\w+);(?<SavedSearchName>\w+)"

See also

rex command
rex command overview
rex command syntax details
rex command usage
Last modified on 04 October, 2021
rex command usage
search command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters