Splunk Regular Expressions: Rex Command Examples
Last updated:Table of Contents
This post is about the
rexcommand. For theregexcommand see Rex Command ExamplesSplunk version used: 8.x. Examples use the tutorial data from Splunk
Rex vs regex
rex |
regex |
|---|---|
| Use to extract fields matching the expression |
Use to filter rows (like the where clause) |
Extract match to new field
Use named capture groups (within <?...>) with the rex command:
Example extract occurrences of alphanumeric UUID order IDs (followed by whitespace) into a field called order_id:
your search criteria
| rex field=_raw "order_id (?<order_id>[0-9a-z]+) "
Character classes
| Class | Description |
|---|---|
\w | letters, digits and underscore |
\W | anything except letters, digits and underscore |
\d | digits 0 through 9 |
\D | anything except digits 0 through 9 |