Regex v. Rex Commands in Splunk SPL

by Alex Trejo, Splunk Consultant

A regular expression is used to capture a pattern of characters in text. This can be become very useful when either filtering data or extracting new fields in Splunk. The SPL commands Splunk provide us with for regular expressions are the ‘regex’ and ‘rex’ commands. They are both regular expression commands but are utilized in different way. When used together, we can make the most out of regular expressions with just the search bar in Splunk.

Regex

regex [<field>=<regular expression>]

The regex command is primarily used for filtering data. The command can filter for both data that does or does not match the regular expression. The regex command can be applied to specified fields otherwise the default is _raw.

Rex

rex [field=<field>] [regular expression]

The rex command can be used for search-time field extractions and string replacement. The rex command can be applied to specified fields otherwise the default is _raw.

Here we have a set of customer transactions with no predefined field extractions. We will be responsible for pulling in customer IDs, names, transactions, Ips, and statuses.

Screenshot of a Splunk search displaying results for a regex test index, including timestamps, source file paths, and customer transaction IDs.

To begin we will want to use the rex command to extract the fields we are looking for. Since we do not have any predefined fields to work off, we will have to use the default _raw field for the rex command. Since we are using the default field of _raw we do not need to define field in the command.

To extract the CustomerId field we will use the following rex command:

rex “CustomerId(?<CustomerId>\w+_\d+)”

We will follow the same format for the following fields of transaction, IP, and STATUS.

Splunk search screen illustrating the use of multiple rex commands to extract structured fields like CustomerId, IP address, and STATUS codes from raw event logs, progressing field enrichment using named capture groups.

Next, we will extract the customers’ names. Since the CustomerId field already contains the customers’ names we will use that field in our rex command instead of the default _raw.

To extract the CustomerName field we will use the following rex command:

rex field=CustomerId “(?<CustomerName>\w+)_\d+”

We will follow the same format for the CustomerNum field.

A refined Splunk search leveraging rex field= syntax to extract CustomerName and CustomerNum fields, showing how to apply regex on specific fields rather than the raw event data.

Next, we will display the fields in table for better visibility.

Splunk statistics view showing tabular output of extracted fields: CustomerId, CustomerName, transaction, IP, and STATUS. Demonstrates successful field extraction and table formatting after multiple rex applications.

Now, we will use the regex command to filter out IP addresses that start with 3 digits. Since we are targeting the IP field here, we will have to specify that field within the command to override the default _raw field.

regex IP!=\d{3}\.\d+\.\d+\.\d+
Splunk SPL search that introduces a regex command to filter results by IP format. The output table shows a narrowed list of customer transactions matching specific regex criteria.

If we wanted to filter for the IPs that began with 3 digits, we would simply remove the ‘!’ before the ‘=’ in the command.

regex IP=\d{3}\.\d+\.\d+\.\d+
Search results in Splunk using regex to include only matching IP patterns. The filtered dataset displays customers like Cat and Will whose IP addresses meet the criteria.

Another interesting feature of the rex command we did not touch on before is its ability to replace strings. Using the mode=sed option, the command can replace strings within a field. Note, this does not change the data in any form. Here we will use the command to mask the beginning of IP addresses that begin with 3 digits.

rex  field=IP mode=sed "s/(\d{3}\.)/x./g"
Splunk SPL using regex with mode=sed to mask portions of IP addresses, replacing the third octet with an “x” (e.g., 197.0.0.2 becomes x.0.0.2), illustrating regex replacement techniques for data redaction.

There you have it – a short comparison of Regex vs. Rex in Splunk SPL. I hope this was helpful, and am happy to answer any questions using the request here: