Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does (?m) mean at the beginning of a regex

Justin_Grant
Contributor
‎12-10-2009 08:15 PM

I saw this in \etc\system\README\transforms.conf.example:

REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$

What does the (?m) mean before the caret? Is this really matching 0 or 1 "m" characters at the end of the previous line, or does it have some special meaning?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Johnvey
Contributor
‎12-10-2009 09:08 PM

It declares the regex to read multiline data, i.e., don't stop the regex on a line break.

The (?<option_flag>) construct allows you to set various matching properties like case-insensitivity, multiline, greedy, etc. See http://www.regextester.com/pregsyntax.html for more info.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-14-2010 06:51 PM

In general, all Splunk regexes use the PCRE flavor of regex, which is substantially the same regex syntax as Perl, Python, PHP, but significantly different from grep (or egrep).

Reply
Solved! Jump to solution
Solution

Johnvey
Contributor
‎12-10-2009 09:08 PM

It declares the regex to read multiline data, i.e., don't stop the regex on a line break.

The (?<option_flag>) construct allows you to set various matching properties like case-insensitivity, multiline, greedy, etc. See http://www.regextester.com/pregsyntax.html for more info.

Reply
Solved! Jump to solution

Jason
Motivator
‎10-07-2013 09:27 PM

More importantly, this "multiline mode" means that ^ and $ match the beginning and end (respectively) of each line, not the beginning and end of the entire string. This is important in multiline events, in case you want to find an item at the beginning of a line somewhere in your event.

Reply
Solved! Jump to solution

landen99
Motivator
‎07-17-2015 01:50 PM

And just as importantly, rex will match against the entire event without (?m) even if there are line breaks. With max_match=0, rex will even match on the pattern multiple times in the same event thus creating a multi-value field.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...