SPL2 and regular expressions

Splunk Search Processing Language (SPL) regular expressions are Perl Compatible Regular Expressions (PCRE).

You can use regular expressions with the rex command, and with the match, mvfind, and replace evaluation functions. See the Quick Reference for SPL2 eval functions in the SPL2 Search Reference.

Here are a few things that you should know about using regular expressions in SPL searches.

Pipe characters

A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.

Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:

...|regex "expression | with pipe"

This is interpreted by SPL as a search for the text "expression" OR "with pipe".

Backslash characters

The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying \. in your regular expression.

Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.

Searches that include a regular expression that contains a double backslash, such as in a filepath like c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as c:\temp, one of the backslashes is removed.

You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example: c:\\\\temp. For a longer filepath, such as c:\\temp\example, you would specify c:\\\\temp\\example in your regular expression in the search string.

See also

Related information

About Splunk and regular expressions