DEV Community

Maxime Guilbert
Maxime Guilbert

Posted on

Splunk - Rex command

When you are debugging an application, you may need to extract some data from logs (like an id in an URI...).

To help you to do that, Splunk has the rex command.

How does it work?

Command

The simpliest way to use it is

| rex regex

With this command, you will search for an element in the whole log.

If you want to search in a specific field, add field= and the name of your field.

| rex field= regex

example

| rex field=uri *regex*
Enter fullscreen mode Exit fullscreen mode

Regex

About how to write the regex, you have to follow the next pattern

[Regex about the text before the desired value][Regex about the desired value][Regex about the text after the desired value]

The first and the last part are really look like a classic regex.
But the middle part is a little bit particular.

(?\w+)

Wrote like this, you will declare the field where you want insert your new data and you have the regex corresponding to your value.

Also you can retrieve multiple datas from a single rex command.


Examples

Retrieve a username

| rex "user\s(?<username>\w+)\s"
Enter fullscreen mode Exit fullscreen mode

Retrieve the email sender and the destination of a mail

| rex field=_raw "From: <(?<from>.*)> To: <(?<to>.*)>"
Enter fullscreen mode Exit fullscreen mode

Links


I hope it will help you! 🍺

Discussion (0)