Regular Expressions (REGEXES)

Regular Expressions are useful in multiple areas: search commands regex and rex; eval functions match() and replace(); and in field extraction.
\swhite space\d\s\ddigit space digit
\Snot white space\d\S\ddigit non-whitespace digit
\Dnot digit\D\D\Dthree non-digits
\wword character (letter, number, or _)\w\w\wthree word chars
\Wnot a word character\W\W\Wthree non-word chars
[...]any included character[a-z0-9#]any char that is a thru z, 0 thru 9, or #
[^...]no included character[^xyz]any char but x, y, or z
*zero or more\w*zero or more word chars
+one or more\d+integer
?zero or one\d\d\d-?\d\d-?\d\d\d\dSSN with dashes being optional
|or\w|\dword or digit character
...)named extraction\d\d\d-?\d\d\d\dpull out a SSN and assign to 'ssn' field
(?: ... )logical or atomic groupingalphabetic character OR a digit
^start of line^\d+line begins with at least one digit
$end of line\d+$line ends with at least one digit
{ . . . }number of repetitions\d{3,5}between 3-5 digits
\escape\[escape the [ char

Download a PDF copy of the Quick Ref Guide


Filter Results
Filter results to only include those with "fail" in their raw text and status=0.... | search fail status=0
Remove duplicates of results with the same host value.... | dedup host%I
Keep only search results whose "_raw" field contains IP addresses in the non-routable class A ( | regex _raw=" (?

Group Results

Cluster results together, sort by their "cluster_count" values, and then return the 20 largest clusters (in data size).... | cluster t=0.9 showcount=true | sort limit=20 -cluster_count
Group results that have the same "host" and "cookie", occur within 30 seconds of each other, and do not have a pause greater than 5 seconds between each event into a transaction.... | transaction host cookie maxspan=30s maxpause=5s
Group results with the same IP address (clientip) and where the first result contains "signon", and the last result contains "purchase".... | transaction clientip startswith="signon" endswith="purchase"