Splunk Regular Expressions: Rex Command Examples

Last updated: 29 May 2023

Table of Contents

Rex vs regex
Extract match to new field
Character classes

This post is about the rex command. For the regex command see Rex Command Examples

Splunk version used: 8.x. Examples use the tutorial data from Splunk

Rex vs regex

`rex`	`regex`
Use to extract fields matching the expression	Use to filter rows (like the `where` clause)

Extract match to new field

Use named capture groups (within <?...>) with the rex command:

Example extract occurrences of alphanumeric UUID order IDs (followed by whitespace) into a field called order_id:

your search criteria
| rex field=_raw "order_id (?<order_id>[0-9a-z]+) "

Character classes

Class	Description
`\w`	letters, digits and underscore
`\W`	anything except letters, digits and underscore
`\d`	digits 0 through 9
`\D`	anything except digits 0 through 9

Felipe 21 Mar 2021 29 May 2023 splunk regex

Rex vs regex

Extract match to new field

Character classes

Dialogue & Discussion