Splunk® Enterprise

Search Manual

SPL and regular expressions

Regular expressions in the Splunk Search Processing Language (SPL) are Perl Compatible Regular Expressions (PCRE).

You can use regular expressions with the rex and regex commands. You can also use regular expressions with evaluation functions such as match and replace. See Evaluation functions in the Search Manual.

The following sections provide guidance on regular expressions in SPL searches.

Pipe characters

A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A | B means A or B.

Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. The following search shows how to use quotation marks around a pipe character, which is interpreted by SPL as a search for the text "expression" OR "with pipe"..

...|regex "expression | with pipe"

Backslash characters in regular expressions

The backslash character ( \ ) is used in regular expressions to escape any special characters that have meaning in regular expressions, such as periods ( . ), double quotation marks ( " ), and backslashes themselves. For example, the period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying \. in your regular expression.

In searches that include a regular expression that contains a double backslash, like the file path c:\\temp, the search interprets the first backslash as a regular expression escape character. The file path is interpreted as c:\temp, because one of the backslashes is removed. You must escape both backslash characters in the file path by specifying 4 consecutive backslashes for the root portion of the file path, such as c:\\\\temp. For a longer file path, such as c:\\temp\example, you can specify c:\\\\temp\\example in your regular expression in the search string.

One reason you might need extra escaping backslashes in your searches is that the Splunk platform parses text twice; once for SPL and then again for regular expressions. Each parse applies its own use of backslashes in layers and treats each backslash as a special character that needs an additional backslash to make it literal. As a result, \\ in SPL becomes \ before it is parsed as a regular expression, and \\\\ in SPL becomes \\ before it is parsed as a regular expression.

See Backslashes in the Search Manual.

Avoid extra escaping backslash characters

To avoid using extra escaping backslashes in your searches, you can use the octal code \134 or the hexadecimal code \x5c in your regular expression. These codes are equivalent to the backslash character and get around the need to double-escape backslashes. For example, consider the following search, which extracts the characters ABC that follow 2 backslashes:

| makeresults | eval example="xyz\\ABC" | rex field=example max_match=3 ".*\\\(?<extract>.*)"

The search results look something like this:

time example extract
2023-09-20 17:20:59 xyz\ABC ABC

Instead of using 3 backslashes, you can get the same search results using \x5c in the regular expression, like this:

| makeresults | eval example="xyz\\ABC" | rex field=example max_match=3 ".*\x5c(?<extract>.*)"

More about regular expressions

For more information:

Last modified on 01 November, 2023
Field expressions   About search optimization

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 8.0.8, 8.1.0, 8.1.10, 8.1.11


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters