Regular Expressions are useful in multiple areas: search commands regex and rex; eval functions match() and replace(); and in field extraction.
| Regex | Note | Example | Explanation |
|---|---|---|---|
| \s | white space | \d\s\d | digit space digit |
| \S | not white space | \d\S\d | digit non-whitespace digit |
| \d | digit | \d\d\d-\d\d-\d\d\d\d | SSN |
| \D | not digit | \D\D\D | three non-digits |
| \w | word character (letter, number, or _) | \w\w\w | three word chars |
| \W | not a word character | \W\W\W | three non-word chars |
| [...] | any included character | [a-z0-9#] | any char that is a thru z, 0 thru 9, or # |
| [^...] | no included character | [^xyz] | any char but x, y, or z |
| * | zero or more | \w* | zero or more word chars |
| + | one or more | \d+ | integer |
| ? | zero or one | \d\d\d-?\d\d-?\d\d\d\d | SSN with dashes being optional |
| | | or | \w|\d | word or digit character |
| ...) | named extraction | \d\d\d-?\d\d\d\d | pull out a SSN and assign to 'ssn' field |
| (?: ... ) | logical or atomic grouping | alphabetic character OR a digit | |
| ^ | start of line | ^\d+ | line begins with at least one digit |
| $ | end of line | \d+$ | line ends with at least one digit |
| { . . . } | number of repetitions | \d{3,5} | between 3-5 digits |
| \ | escape | \[ | escape the [ char |
Search Examples
Filter Results
Filter results to only include those with "fail" in their raw text and status=0.
... | search fail status=0
Remove duplicates of results with the same host value.
... | dedup host%I
Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8)
... | regex _raw=" (?
Group Results
Cluster results together, sort by their "cluster_count" values, and then return the 20 largest clusters (in data size).
... | cluster t=0.9 showcount=true | sort limit=20 -cluster_count
Group results that have the same "host" and "cookie", occur within 30 seconds of each other, and do not have a pause greater than 5 seconds between each event into a transaction.
... | transaction host cookie maxspan=30s maxpause=5s
Group results with the same IP address (clientip) and where the first result contains "signon", and the last result contains "purchase".
... | transaction clientip startswith="signon" endswith="purchase"