regex
Description
Removes results that match or do not match the specified regular expression.
Syntax
The required syntax is in bold.
- regex
- (<field>=<regex-expression> | <field>!=<regex-expression> | <regex-expression>)
Required arguments
- <regex-expression>
- Syntax: "<string>"
- Description: An unanchored regular expression. The regular expression must be a Perl Compatible Regular Expression supported by the PCRE library. Quotation marks are required.
Optional arguments
- <field>
- Syntax: <field>
- Description: Specify the field name from which to match the values against the regular expression.
- You can specify that the
regex
command keeps results that match the expression by using <field>=<regex-expression>. To keep results that do not match, specify <field>!=<regex-expression>. - Default:
_raw
Usage
The regex
command is a distributable streaming command. See Command types.
When you use regular expressions in searches, you need to be aware of how characters such as pipe ( | ) and backslash ( \ ) are handled. See SPL and regular expressions in the Search Manual.
Although !=
is valid within a regex
command, NOT
is not valid.
For general information about regular expressions, see About Splunk regular expressions in the Knowledge Manager Manual.
The difference between the regex and rex commands
Use the regex
command to remove results that match or do not match the specified regular expression.
Use the rex
command to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.
Using the regex command with !=
If you use regular expressions in conjunction with the regex
command, note that !=
behaves differently for the regex
command than for the search
command.
You can use a regex
command with !=
to filter for events that don't have a field value matching the regular expression, or for which the field is null. For example, this search will include events that do not define the field Location
.
... | regex Location!="Calaveras Farms"
The search
command behaves the opposite way. You can use a search
command with !=
to filter for events that don't contain a field matching the search string, and for which the field is defined. For example, this search will not include events that do not define the field Location
.
... | search Location!="Calaveras Farms"
If you use !=
in the context of the regex
command, keep this behavior in mind and make sure you want to include null fields in your results.
Examples
1. Keep only results that contain IP addresses in a non-routable class
This example keeps only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8). This example uses a negative lookbehind assertion at the beginning of the expression.
... | regex _raw="(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
2. Keep only the results that match a valid email address
This example keeps only the results that match a valid email address. For example, buttercup@example.com.
...| regex email="^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$"
This regular expression is for example purposes only and isn't a fully RFC-compliant email address validator.
The following table explains each part of the expression.
Part of the expression | Description |
---|---|
^
|
Specifies the beginning of the string. |
([a-z0-9_\.-]+)
|
This is the first group in the expression. Specifies to match one or more lowercase letters, numbers, underscores, dots, or hyphens. The backslash ( \ ) character is used to escape the dot ( . ) character. The dot character is escaped, because a non-escaped dot matches any character. The plus ( + ) sign specifies to match from 1 to unlimited characters in this group. In this example this part of the expression matches buttercup in the email address buttercup@example.com. |
@
|
Matches the at symbol. |
([\da-z\.-]+)
|
This is the second group in the expression. Specifies to match the domain name, which can be one or more lowercase letters, numbers, underscores, dots, or hyphens. This is followed by another escaped dot character. The plus ( + ) sign specifies to match from 1 to unlimited characters in this group. In this example this part of the expression matches example in the email address buttercup@example.com. |
([a-z\.]{2,6})
|
This is the third group. Specifies to match the top-level domain (TLD), which can be 2 to 6 letters or dots. This group matches all types of TLDs, such as .co.uk , .edu , or .asia . In this example it matches .com in the email address buttercup@example.com.
|
$
|
Specifies the end of the string. |
3. Filter out zip codes with a specific format
Filter out zip codes that are formatted like a United States zip code or zip+4 code. For example, this search would return a Canadian zip code.
... | regex not_usa_zip!="[0-9]{5}(-[0-9]{4})?"
4. Filter events where a field has no value
The search with regex
and !=
in the following example creates 5 events with Country="Canada" and 5 events with City="Toronto", and filters on events where Country
does not equal "Canada".
| makeresults count=5 | eval Country="Canada"
| append [
| makeresults count=5 | eval city="Toronto"
]
| regex country!="Canada"
This search returns the union of two groups of events: events where the field Country
is defined and has a value not equal to "Canada"; and events where the field Country
is not defined. As a result, 5 events are displayed for the City
field, even though a Country
field was not defined for those events. Also, the Country
field is displayed, but the values are null. The results look something like this.
_time | city | country |
---|---|---|
2020-11-02 15:48:47 | Toronto | |
2020-11-02 15:48:47 | Toronto | |
2020-11-02 15:48:47 | Toronto | |
2020-11-02 15:48:47 | Toronto | |
2020-11-02 15:48:47 | Toronto |
In contrast, the search with search
and !=
in the following example doesn't return any events because all of the events with field City
where the field Country
is null are excluded.
| makeresults count=5 | eval country="Canada"
| append [
| makeresults count=5 | eval city="Toronto"
]
| search country!="Canada"
See also
rare | reltime |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!