Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

rex command syntax details


The required syntax is in bold.

[field=<field>] [max_match=<int>] [offset_field=<string>]
( <regex-expression> | mode=sed <sed-expression> )

You must specify either <regex-expression> or mode=sed <sed-expression> when you use the rex command.

Required arguments

Syntax: <string>
Description: The perl-compatible regular expressions (PCRE) that defines the information to match and extract from the specified field. Quotation marks are required.
Syntax: mode=sed
Description: Specify to indicate that you are using a sed (UNIX stream editor) expression.
Syntax: <string>
Description: When mode=sed, specify whether to replace strings (s) or substitute characters (y) in the matching regular expression. No other sed commands are implemented. Quotation marks are required. Sed mode supports the following flags: global (g) and Nth occurrence (N), where N is a number that is the character location in the string.

Optional arguments

Syntax: field=<field>
Description: The field that you want to extract information from.
Default: _raw
Syntax: max_match=<int>
Description: Controls the number of times the regular expression is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1 Use 0 for unlimited matches
Syntax: offset_field=<string>
Description: If provided, a field is created with the name specified by <string>. This value of the field has the endpoints of the match in terms of zero-offset characters into the matched field. For example, if the rex expression is (?<tenchars>.{10}), this matches the first ten characters of the field, and the offset_field contents is 0-9.
Default: None

See also

rex command
rex command overview
rex command usage
rex command examples
Last modified on 20 October, 2020
rex command overview
rex command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters