Splunk® Cloud Services

SPL2 Search Reference

rex command overview

Use the SPL2 rex command to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.

The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names.

When mode=sed, the given sed expression used to replace or substitute characters is applied to the value of the chosen field. This sed-syntax is also used to mask sensitive data at index-time.

If a field is not specified, the regular expression or sed expression is applied to the _raw field. Running the rex command against the _raw field might have a performance impact.

Use the rex command for search-time field extraction or string replacement and character substitution.


The required syntax is in bold.

[field=<field>] [max_match=<int>] [offset_field=<string>]
( <regex-expression> | mode=sed <sed-expression> )

See also

rex command
rex command syntax details
rex command usage
rex command examples
Last modified on 31 January, 2024
reverse command examples   rex command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters