SPL and regular expressions
Splunk regular expressions are PCRE (Perl Compatible Regular Expressions).
Here are a few things that you should know about using regular expressions in Splunk searches.
A pipe character ( | ) is used in regular expressions to specify an OR condition. For example, A or B is expressed as A | B.
Because pipe characters are used to separate commands in SPL, you must enclose a regular expression that uses the pipe character in quotation marks. For example:
...|regex "expression | with pipe"
This is interpreted by SPL as a search for the text "expression" OR "with pipe".
The backslash character ( \ ) is used in regular expressions to "escape" special characters. For example. The period character is used in a regular expression to match any character, except a line break character. If you want to match a period character, you must escape the period character by specifying
\. in your regular expression.
Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.
Searches that include a regular expression that contains a double backslash encounters a double backslash, such as in a filepath like
c:\\temp, the search interprets the first backslash as a regular expression escape character. The filepath is interpreted as
c:\temp, one of the backslashes is removed.
You must escape both backslash characters in a filepath by specifying 4 consecutive backslashes for the root portion of the filepath. For example:
c:\\\\temp. For a longer filepath, such as
c:\\temp\example, you would specify
c:\\\\temp\\example in your regular expression in the search string.
More about regular expressions
For more information:
Difference between NOT and !=
About search optimization
This documentation applies to the following versions of Splunk Cloud™: 7.0.11, 7.0.13, 7.1.3, 7.1.6, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001, 8.0.2003, 8.0.2004