Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

SPL and regular expressions

Splunk Search Processing Language (SPL) regular expressions are PCRE (Perl Compatible Regular Expressions).

You can use regular expressions with the rex and regex commands. You can also use regular expressions with evaluation functions such as match and replace.

Here are a few things that you should know about using regular expressions in Splunk searches.

Pipe characters

A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.

Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:

...|regex "expression | with pipe"

This is interpreted by SPL as a search for the text "expression" OR "with pipe".

Backslash characters

The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example, the period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying \. in your regular expression.

Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.

In searches that include a regular expression that contains a double backslash, such as in a filepath like c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as c:\temp, one of the backslashes is removed.

You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example: c:\\\\temp. For a longer filepath, such as c:\\temp\example, you would specify c:\\\\temp\\example in your regular expression in the search string.

Avoiding excessive numbers of backslash characters

The reason you can get an excessive number of backslashes in your searches is that Splunk software parses text twice; once for SPL and once for regular expressions. Each parse applies its own use of backslashes in layers and treats the backslash as a special character that needs an additional backslash to make it literal. As a result, \\ in SPL becomes \ before it gets parsed as a regular expression, and \\\\ in SPL becomes \\ after regular expression parsing.

It's easy to get confused as the number of escaping backslashes increases. Instead of using a lot of backslashes, use \x5c, which is case sensitive and matches the backslash character with index 5C16 (9210 or 1348) literally. For example, consider the following search, which extracts ABC, the characters that follow 2 backslashes:

| makeresults | eval example="xyz\\ABC" | rex field=example max_match=3 ".*\\\(?<extract>.*)"

The search results look something like this:

time example extract
2023-09-20 17:20:59 xyz\ABC ABC

You can get the same search results using \x5c in the regular expression instead of 3 backslashes, like this:

| makeresults | eval example="xyz\\ABC" | rex field=example max_match=3 ".*\x5c(?<extract>.*)"

More about regular expressions

For more information:

Last modified on 21 September, 2023
PREVIOUS
Use CASE() and TERM() to match phrases 		  NEXT
About search optimization

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.3, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1, 8.0.2, 8.0.4, 8.0.5

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters