Search command - rex

The rex or regular expression command is extremely useful when you need to extract a field during search time that has not already been extracted automatically. The rex command even works in multi-line events. The following sample command will get all the versions of the Chrome browser that are defined in the highlighted User Agent string part of the following raw data. Let's say this is your raw data, and you need to get the highlighted value:

016-07-21 23:58:50:227303,96.32.0.0,GET,/destination/LAX/details,-,80, 
-,10.2.1.33,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) 
AppleWebKit/537.36 (KHTML; like Gecko) Chrome/29.0.1547.76 
Safari/537.36,500,0,0,823,3053

You can use this search command to get it:

SPL> index=main | rex ...

Get Splunk Essentials - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Splunk Essentials - Second Edition by Betsy Page Sigman, Erickson Delgado

Search command - rex

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly