Splunk Cloud Platform

Use Ingest Processors

Convert RE2 regular expressions to PCRE2 regular expressions

Convert your RE2 regular expressions to Perl Compatible Regular Expressions 2 (PCRE2).

Starting on March 5, 2025, all new pipelines will use PCRE2 syntax by default, with no option to use RE2. All existing pipelines can continue using RE2, but migration to PCRE2 is recommended. Pipelines with the following regular expression functions need to be migrated:

  • Like
  • Replace
  • Rex
  • Rename
  • Match
  • Mvfind
  • Searchmatch

Starting on June 5, 2025, RE2 support ends completely. All pipelines (new and existing) must use PCRE2 syntax.

Steps to convert RE2 regular expressions to PCRE2 regular expressions

  1. Log into the Splunk Cloud Platform deployment used for routing test data.
  2. In your deployment, create two new indexes for testing. For example, name the indexes re2pipelines and pcre2pipelines.

    These test indexes should be created on the paired Splunk Cloud Platform stack.


    To learn more about creating an index, see the Create an index and generate sample events topic in the Splunk Developer Guide.
  3. Log into your Data Management console.
  4. Refresh your system connections so that the Splunk software knows that the index exists. This can be done by selecting the Settings icon (Image of the Settings icon) and then selecting System connections.
  5. Open a pipeline that contains regular expressions.
  6. In the SPL2 statement of your pipeline, copy and paste /* RE2 copy */ directly above the $pipeline = | from $source line in your statement.
  7. In the SPL2 statement of your pipeline, directly below the $pipeline = | from $source line, paste the following text: 
    | eval initial_event_hash = md5(_raw)
  8. Before the | into $destination line of your SPL2 pipeline statement, paste the following SPL2 template text: 
    | thru [
   | eval final_event_hash = md5(tostring(tojson()))
   | eval index="re2pipelines"
   | into $destination2
]
  9. Navigate to the Actions section of the pipeline builder, select Send data to $destination2, and then Select a destination…", and select the Splunk platform indexer that you used to create the indexes in step 1.
  10. Click the Save pipeline button, and deploy your pipeline.

    Do not toggle to PCRE2. Click Save.

  11. After saving and deploying your updated pipeline, perform the following changes to your SPL2 statement:
    1. Change the /* RE2 copy */ line to /* PCRE2 copy */.
    2. Change the following lines from: 
      | thru [
   | eval final_event_hash = md5(tostring(tojson()))
   | eval index="re2pipelines"
   | into $destination2
]
| into $destination;


      to: 

      | eval final_event_hash = md5(tostring(tojson()))
| eval index="pcre2pipelines"
| into $destination;
  12. In the Actions section of the pipeline builder, select Send data to $destination, and then Select a destination…, and select the same Splunk indexer that you used to create the indexes in step 1.
  13. Click the Save pipeline dropdown and Save as pipeline…. Name the copy PCRE2 Copy of <pipeline of interest's name> with a description, if desired, and click Save.
    By default, the copy and any new pipelines will operate with PCRE2 regexes at runtime. Any existing pipelines (for example, your pipeline of interest), will operate with RE2 regexes at runtime.
  14. Use the Splunk software's search function to query both indexes at the same time.

    (index="re2pipelines" OR index="pcrepipelines") | eventstats count as init_count by initial_event_hash | where init_count=2 | stats count as pair_count by final_event_hash, initial_event_hash | table initial_event_hash, final_event_hash, pair_count | where pair_count=1

  15. final_event_hash is the hash generated after all your business logic. initial_event_hash is generated before all your business logic. In an ideal case, all final_event_hash values should emit two copies. This means your RE2-pipeline and your PCRE2-pipeline will execute identical transformations on your data. If there are events that don't emit 2 copies, it means that the PCRE2-based pipeline emitted different results than your RE2-based pipeline. You can examine the raw event details in search to investigate for differences, by replacing the initial_event_hash value in the query below with your initial_event_hash values that only emit a count of 1 in the previous query:

    (index = "re2pipelines" OR index = "pcre2pipelines") | where initial_event_hash = 123456 | table * | transpose

  16. Review your regular expressions to verify that they conform to syntax and use case. The pipeline will not save if the patterns are not compatible for the regex engine. For more information, see the About Splunk regular expressions topic in the SPL2 Search Manual.
  17. Once the data is identical in both locations, unapply, and delete the PCRE Copy of <pipeline of interest's name> pipeline.
  18. Open the original pipeline, and perform the following tasks:
    1. Remove the logic that was created in steps 7 and 8.
    2. Navigate to your pipeline, select Edit, and click the toggle to change the regex runtime from RE2 to PCRE2. This will permanently switch regex runtimes with no option to revert.
    3. Click Save.
  19. Repeat for other pipelines that are still on the RE2 regex runtime. This can be done by navigating to the Pipelines page, and then navigating to each pipeline that contains the RE2 icon (Image of the RE2 icon).
  20. If desired, delete all test data from the test indexes index=pcre2pipelines, and index=re2pipelines. To learn more, see the Remove indexes and indexed data topic in the Managing Indexers and Clusters of Indexers section of the Splunk Enterprise manual.
  21. In three months, all new and existing pipelines will run on PCRE2 regex runtime by default, with no option to revert.
Last modified on 05 March, 2025
Getting sample data for previewing data transformations   Filter and mask data using Ingest Processor

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406, 9.3.2408 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters