
SPL and regular expressions
Splunk Search Processing Language (SPL) regular expressions are PCRE (Perl Compatible Regular Expressions).
You can use regular expressions with the rex
and regex
commands. You can also use regular expressions with evaluation functions such as match
and replace
.
Here are a few things that you should know about using regular expressions in Splunk searches.
Pipe characters
A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.
Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:
...|regex "expression | with pipe"
This is interpreted by SPL as a search for the text "expression" OR "with pipe".
Backslash characters
The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example, the period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying \.
in your regular expression.
Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.
In searches that include a regular expression that contains a double backslash, such as in a filepath like c:\\temp
, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as c:\temp
, one of the backslashes is removed.
You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example: c:\\\\temp
. For a longer filepath, such as c:\\temp\example
, you would specify c:\\\\temp\\example
in your regular expression in the search string.
Avoiding excessive numbers of backslash characters
The reason you can get an excessive number of backslashes in your searches is that Splunk software parses text twice; once for SPL and once for regular expressions. Each parse applies its own use of backslashes in layers and treats the backslash as a special character that needs an additional backslash to make it literal. As a result, \\
in SPL becomes \
before it gets parsed as a regular expression, and \\\\
in SPL becomes \\
after regular expression parsing.
It's easy to get confused as the number of escaping backslashes increases. Instead of using a lot of backslashes, use \x5c
, which is case sensitive and matches the backslash character with index 5C16 (9210 or 1348) literally. For example, consider the following search, which extracts ABC
, the characters that follow 2 backslashes:
| makeresults
| eval example="xyz\\ABC"
| rex field=example max_match=3 ".*\\\(?<extract>.*)"
The search results look something like this:
time | example | extract |
---|---|---|
2023-09-20 17:20:59 | xyz\ABC | ABC |
You can get the same search results using \x5c
in the regular expression instead of 3 backslashes, like this:
| makeresults
| eval example="xyz\\ABC"
| rex field=example max_match=3 ".*\x5c(?<extract>.*)"
More about regular expressions
For more information:
- See Extract fields using regular expressions
- See About Splunk regular expressions in the Knowledge Manager Manual.
PREVIOUS Use CASE() and TERM() to match phrases |
NEXT About search optimization |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.3, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1, 8.0.2, 8.0.4, 8.0.5
Feedback submitted, thanks!