topic Re: search regular expressions without field extraction in Splunk Search

search regular expressions without field extraction

jeremiahc4 — Mon, 04 Jun 2012 13:28:22 GMT

I would like to perform a regular expression search without any field extraction. I know you can do asterisks for things that start with what you're looking for, but all I have is a format of something I'm interested in. I'm sure this is simple and I've overlooked it, but I'm still coming up short. This is new unstructured data so I have no fields yet identified. I'm trying to search for a subset of events so I can start building out my field extractions.

I'm basically trying to search for any events that have a single letter followed by 6 numbers. I would use something like this in other languages;

[a-z,A-Z][0-9][0-9][0-9][0-9][0-9][0-9]

Re: search regular expressions without field extraction

cphair — Mon, 04 Jun 2012 13:33:25 GMT

Regex or rex would be what you want. Something like this should work:



... | regex _raw="\w\d{6}"

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Rex
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Regex

Re: search regular expressions without field extraction

jeremiahc4 — Mon, 04 Jun 2012 13:45:42 GMT

So the _raw was what I was missing I guess. Thanks.