https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579725#M202001 <P>Your regex is matching against the _raw field. It it looking for a string in the _raw field which could be anywhere in the <U>_raw</U> field matching the expression <FONT color="#FF0000">user=</FONT><FONT color="#0000FF">[a-z]{3,6}</FONT><FONT color="#FF00FF">[a-z1-9]{1,2}</FONT> , for example:</P><P>not<FONT color="#FF0000">user=</FONT><FONT color="#3366FF">abc</FONT><FONT color="#FF00FF">1</FONT>@nowhere</P><P><FONT color="#FF0000">user=</FONT><FONT color="#0000FF"><SPAN>sst</SPAN></FONT><SPAN><FONT color="#FF00FF">e</FONT>venson6111</SPAN></P><P><SPAN>All your examples match this expression</SPAN></P> Sun, 02 Jan 2022 08:07:24 GMT ITWhisperer 2022-01-02T08:07:24Z https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579715#M201994 <P>Hello,</P><P>I'm attempting to use the regex command to filter out any records on the "user" field that do not match the written expression below:</P><LI-CODE lang="markup">index=myindex sourcetype=traceability_log4net earliest=-10d | regex _raw="user=[a-z]{3,6}[a-z1-9]{1,2}" | table user</LI-CODE><P>Per the expression, there should not be any "user" records that exceed 8 characters. However, the non-matching values are not being filtered out.</P><P>"sstevenson6111", for example,&nbsp; should theoretically be listed as "sstevens" per the expression.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="regex_user-table.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17396i19D093E12B6AA3A1/image-size/medium?v=v2&amp;px=400" role="button" title="regex_user-table.PNG" alt="regex_user-table.PNG" /></span></P><P>&nbsp;I'm sure there's something blindingly obvious that I'm missing!&nbsp;<span class="lia-unicode-emoji" title=":flushed_face:">😳</span></P><P>&nbsp;</P> Sat, 01 Jan 2022 22:00:19 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579715#M201994 bcanfield83 2022-01-01T22:00:19Z https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579716#M201995 <P>The <FONT face="courier new,courier">regex</FONT> command passes what matches the specified expression.&nbsp; To filter them out, use <FONT face="courier new,courier">!=</FONT>.</P> Sun, 02 Jan 2022 00:46:19 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579716#M201995 richgalloway 2022-01-02T00:46:19Z https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579723#M202000 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/171388">@bcanfield83</a>&nbsp;This may help you:&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/How-to-write-a-regular-expression-to-filter-out-field-values/m-p/254358" target="_blank" rel="noopener">https://community.splunk.com/t5/Splunk-Search/How-to-write-a-regular-expression-to-filter-out-field-values/m-p/254358</A>&nbsp;</P> Sun, 02 Jan 2022 05:50:37 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579723#M202000 ashvinpandey 2022-01-02T05:50:37Z https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579725#M202001 <P>Your regex is matching against the _raw field. It it looking for a string in the _raw field which could be anywhere in the <U>_raw</U> field matching the expression <FONT color="#FF0000">user=</FONT><FONT color="#0000FF">[a-z]{3,6}</FONT><FONT color="#FF00FF">[a-z1-9]{1,2}</FONT> , for example:</P><P>not<FONT color="#FF0000">user=</FONT><FONT color="#3366FF">abc</FONT><FONT color="#FF00FF">1</FONT>@nowhere</P><P><FONT color="#FF0000">user=</FONT><FONT color="#0000FF"><SPAN>sst</SPAN></FONT><SPAN><FONT color="#FF00FF">e</FONT>venson6111</SPAN></P><P><SPAN>All your examples match this expression</SPAN></P> Sun, 02 Jan 2022 08:07:24 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Help/m-p/579725#M202001 ITWhisperer 2022-01-02T08:07:24Z