Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF


Use the erex command for regular expression field extraction when you don't know the regular expression to use but you do have example values in your retrieved events.


Automatically extracts field values similar to the example values.


erex [<field>] examples=<string> [counterexamples=<string>] [fromfield=<field>] [maxtrainers=<int>]

Required arguments

Syntax: examples=<string>,...
Description: A comma-separated list of example values for the information to be extracted and saved into a new field.

Optional arguments

Syntax: counterexamples=<string>,...
Description: A comma-separated list of example values that represent information not to be extracted.
Syntax: <string>
Description: A name for a new field that will take the values extracted from fromfield. If field is not specified, values are not extracted, but the resulting regular expression is generated and returned in an error message. That expression can then be used with the rex command for more efficient extraction.
Syntax: fromfield=<field>
Description: The name of the existing field to extract the information from and save into a new field. Defaults to _raw.
Syntax: maxtrainers=<int>
Description: The maximum number values to learn from. Must be between 1 and 1000. Defaults to 100.


If you specify a field name, the values extracted from fromfield are saved to it. Otherwise, Splunk search returns a regular expression that you can then use with the rex command to extract the field.

Note: The values specified in examples and counterexample must exist in the retrieved events that are piped into the erex command. If they do not exist, the command will fail. To make sure that erex works, first run the search that returns the events you want. Then, copy the field values you want to extract and use those as example values for erex.


Example 1: Extracts out values like "7/01" and "7/02", but not patterns like "99/2", putting extractions into the "monthday" attribute.

... | erex monthday examples="7/01, 07/02" counterexamples="99/2"

Example 2: Extracts out values like "7/01", putting them into the "monthday" attribute.

... | erex monthday examples="7/01"

Example 3: Display ports for potential attackers. First, run the search for these potential attackers to find example port values. Then, use erex to extract the port field.

sourcetype=linux_secure port "failed password" | erex port examples="port 2887, port 3434" | top port

See also

extract, kvform, multikv, regex, rex, xmlkv


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the erex command.


This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters