Splunk Examples: Regex command
Last updated:Table of Contents
- regex vs rex
- Field contains regex
- Field does not contain regex
- Field matches regex
- Character classes
This post is about the
regexcommand. For therexcommand see Rex Command ExamplesSplunk version used: 8.x. Examples use the tutorial data from Splunk
regex vs rex
regex |
rex |
|---|---|
| Use to filter rows (like the where clause) |
Use to extract fields matching the expression |
Field contains regex
regexacts as an extra search criteria!
Use command regex and the field you want to match on (can also be the _raw field)
Example: retrieve rows that match "search criteria" and and contain a three-digit number
"search criteria"
| regex _raw="\d{3}"
Field does not contain regex
Use field!="pattern"
Example: select rows that do not contain an IP address (4 blocks of digits with a dot (.) in between):
"search criteria"
| regex _raw!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
BEFORE: full results include IPs
AFTER: no more rows containing IPs
Field matches regex
As a variation of the above, this only returns rows where the field fully matches the regex.
To do that, simply add ^ at the beggining and $ at the end of the pattern
Example: retrieve rows that match "search criteria" and and only have lowercase letters or spaces
search criteria
| regex _raw="[a-z ]+"
Character classes
| Class | Description |
|---|---|
\d | digits 0 through 9 |
\D | anything except digits 0 through 9 |
\w | letters, digits and underscore |
\W | anything except letters, digits and underscore |