Splunk Search

Regular Expression in Search


I currently have a search looking for specific attack_id values. For example:

("attack_id=3040" OR "attack_id=3057" OR "attack_id=3054")

My question is, how could I create a regular expression that could cut this down so that I would only need to enter the test attack_id= once followed by a series of numbers such as 3040 3057 3054 etc and have the search trigger on a combination of attack_id= and one of the numbers.

For those who are familiar, just like egrep in unix.


Hi All,
We want to do a field extraction where we need to eliminate comma from the field value. E.g. we get the log as ......number = 524,361....... and what we need is the number to be extracted as "number = 524361" (the comma is removed in the output). Is there a way to do it using regex may be with some function or something. Or any other way to achieve it. Appreciate your response in advance.

0 Karma


Hi @manish_578,

If you want to clear comma on search you can use replace command like below;

| eval number =replace(number,",","")

Or if you want  put this into extractions, you should but below EVAL inside your sourcetype settings;

EVAL-number = replace(number,",","")


If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.
0 Karma


Yes, this is good for search but how to use for field extraction and in regex directly. 

0 Karma



Could someone please help me to filter this raw fields and extract it from a new field? I just need to gather "DUMP is complete" and convert it to a new field which is dump_status.

Backup Server: Using numzones of 3 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: Using archcnt of 1 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: Using dbdevcnt of 2 for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: Using pagesize of 16384 bytes for device /sybase//log_archives/ECP_trans_2019-07-19T15_15_01.dmp.
Backup Server: Database ECP: 34414 kilobytes DUMPED.
Backup Server: Dump phase number 3 completed.
Backup Server: Database ECP: 34436 kilobytes DUMPED.
Backup Server: DUMP is complete (database ECP).
(return status = 0)

Thank you!

0 Karma


When newer version of Splunk you can use:

attack_id IN (1231 1231 23421)


attack_id IN (1231,1231,23421)


regex attack_id="30(40|57|54)"

Ultra Champion

No, you cannot write attack_id = (1231 OR 1231 OR 23421).

Have you looked at the regex command to filter out events?



For a more static classifictaion, make use of the eventtype feature in Splunk, where you can define this as 'attack_type_a', and then search for eventtype=attack_type_a

Hope this helps,


New Member

Is it possible to use regex before the first pipe ? I want to filter out the events before hand itself, so that it might increase the performance of the query

0 Karma



You can add your extraction at props.conf allowing you to use it on your main search before the first pipe, like this.

Lets say you have already extracted a field called "attackers".

index=your_index sourcetype=l33t attackers=* | ...
0 Karma


OK but the "props.conf" is not something convenient.
If I want to filter out all traffic coming from my legit sites :

http://a.b.com OR https://a.b.com OR http://mobile.a.b.com OR https://mobile.a.b.com OR http://a.b.com. OR https://a.b.com. OR http://app1.a.b.com OR https://app1.a.b.com OR http://app2.a.b.com OR https://app2.a.b.com

This is how I currently do ... it would be more efficient to do so with REGEX "in" the filtering of the referer directly (in my case) !


0 Karma


Perfect. A regex was exactly what I needed. The solution was a search like this:

host="myhost.com" | regex attack_id="3040|3054|3048|32708"

Worked a treat. Thanks