erex command for regular expression field extraction when you don't know the regular expression to use but you do have example values in your retrieved events.
Automatically extracts field values similar to the example values.
erex [<field>] examples=<string> [counterexamples=<string>] [fromfield=<field>] [maxtrainers=<int>]
- Syntax: examples=<string>,...
- Description: A comma-separated list of example values for the information to be extracted and saved into a new field.
- Syntax: counterexamples=<string>,...
- Description: A comma-separated list of example values that represent information not to be extracted.
- Syntax: <string>
- Description: A name for a new field that will take the values extracted from
fromfield. If field is not specified, values are not extracted, but the resulting regular expression is generated and returned in an error message. That expression can then be used with the
rexcommand for more efficient extraction.
- Syntax: fromfield=<field>
- Description: The name of the existing field to extract the information from and save into a new field. Defaults to _raw.
- Syntax: maxtrainers=<int>
- Description: The maximum number values to learn from. Must be between 1 and 1000. Defaults to 100.
If you specify a
field name, the values extracted from
fromfield are saved to it. Otherwise, Splunk search returns a regular expression that you can then use with the rex command to extract the field.
Note: The values specified in
counterexample must exist in the retrieved events that are piped into the
erex command. If they do not exist, the command will fail. To make sure that
erex works, first run the search that returns the events you want. Then, copy the field values you want to extract and use those as
example values for
Example 1: Extracts out values like "7/01" and "7/02", but not patterns like "99/2", putting extractions into the "monthday" attribute.
... | erex monthday examples="7/01, 07/02" counterexamples="99/2"
Example 2: Extracts out values like "7/01", putting them into the "monthday" attribute.
... | erex monthday examples="7/01"
Example 3: Display ports for potential attackers. First, run the search for these potential attackers to find example port values. Then, use
erex to extract the port field.
sourcetype=linux_secure port "failed password" | erex port examples="port 2887, port 3434" | top port
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the erex command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18