Splunk® Cloud Services

SPL2 Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

SPL2 and regular expressions

Splunk Search Processing Language (SPL) regular expressions are Perl Compatible Regular Expressions (PCRE).

You can use regular expressions with the rex command, and with the match, mvfind, and replace evaluation functions. See the Quick Reference for SPL2 eval functions in the SPL2 Search Reference.

Here are a few things that you should know about using regular expressions in SPL searches.

Pipe characters

A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.

Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:

...|regex "expression | with pipe"

This is interpreted by SPL as a search for the text "expression" OR "with pipe".

Backslash characters

The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying \. in your regular expression.

Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.

Searches that include a regular expression that contains a double backslash, such as in a filepath like c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as c:\temp, one of the backslashes is removed.

You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example: c:\\\\temp. For a longer filepath, such as c:\\temp\example, you would specify c:\\\\temp\\example in your regular expression in the search string.

See also

Related information
About Splunk and regular expressions
Last modified on 16 May, 2023
PREVIOUS
About Splunk regular expressions
  NEXT
Built-in and custom functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters