regex
Use the regex command to filter data according to a specified regular expression.
Syntax
String processing commands like regex are resource intensive.
Due to this, running the regex command against large number of
log records, or large field values is not recommended. Instead, extract these
values using the Extended Field Definitions (EFD) or Labels in your Log
Source.
For writing performant regex queries, refer to the RE2J syntax at Java Implementation of RE2.
regex <field> [=|!= <regular expression>] | [IN | NOT IN (<regular expression> [(,<regular expression>)*])]Parameters
The following table lists the parameters used in this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Specify the field to be analyzed. |
|
|
Specify the regular expression. |
Consider the following set of sample records representing the names of entities to run a few example regex queries:
slc07cuc
slc07ptt
slc07ptt:8452
stuyb43
stuyb43:1831| Filter Requirement | Example Regex Command | Search Result |
|---|---|---|
To represent a single character using .
|
* | regex 'entity' = 'slc07ptt:845.'|distinct entity |
slc07ptt:8452 |
To detect one or more matches using the character + |
* | regex 'entity' = 'slc07ptt.+'|distinct entity |
slc07ptt:8452 |
To detect zero or more matches using the character * |
* | regex 'entity' = 'slc07ptt.*'|distinct entity |
slc07ptt
|
To detect zero or one match using the wildcard character ? |
* | regex 'entity' = 'slc07ptt?'|distinct entity |
slc07ptt |
| To specify the minimum and maximum results from the query | * | regex 'entity' = 'slc07p{1,2}'|distinct entity |
slc07ptt
|
| To provide alternate options for a specific character | * | regex 'entity' = 'slc07pt(T|t)'|distinct entity |
slc07ptt |
To specify a complement using the ~ character
|
* | regex 'entity' = 'slc~c'|distinct entity |
slc07cuc |
To specify a numeric range using the interval option <> |
* | regex 'entity' = 's.*<1-43>.*'|distinct entity |
stuyb43
|
To join two patterns such that both of them match, use the intersection option & |
* | regex 'entity' = '.*43&.*tu.'|distinct entity |
stuyb43
|
To match any string in its entirety using the @ option
|
* | regex 'entity' = '@'|distinct entity |
slc07cuc
|
To find the records by filtering out the specific options using the not equal character != |
* | regex 'entity' = 'slc07.+'|distinct entity |
stuyb43
|
To find records that contain the characters 2 and 5, specify the boolean expression IN |
* | regex 'entity' in ('.*2.*', '.*5.*')|distinct entity |
slc07ptt:8452 |
To find records that don't contain the characters 1 and 2, specify the boolean expression NOT IN |
* | regex 'entity' not in ('.*1.*', '.*2.*')|distinct entity |
slc07cuc
|
| To specify multiple regex queries | * | regex 'entity' = '[^1]+' | regex 'entity' = '[^5]+' |distinct entity |
slc07cuc
|
To find the records by specifying the character class that negates the presence of the characters from1 to 6 by using the option ^ |
* | regex 'entity' = 'slc0[^1-6].*' |distinct entity |
slc07cuc
|
To find the records by specifying the character class for the presence of the characters from3 to 8 |
* | regex 'entity' = 'slc0[3-8].*' |distinct entity |
slc07cuc
|
To find the records by specifying the character class for the presence of the characters 1 or 2 |
* | regex 'entity' = 's.*[12].*'|distinct entity |
slc07ptt:8452
|