Solved: Why doesn't this regex work?

ccannon1 · ‎04-06-2011

Let's say I have these 2 events in my index:

04-06 15:56:03 This is another log line of text 654321
04-06 15:55:03 This is a log line of text 123456

I can simply enter index="test" log on the search bar and will see both events return, however, if I enter index="test" regex="log" in the search bar, it returns 0 events. This regex is valid PCRE. Entering index="test" regex=".*log.*" doesn't return any results either.

ziegfried · ‎04-06-2011

With regex="log" you're actually performing a field search on the field regex. You probably want to use the regex command instead.

index=test | regex _raw="log"

View solution in original post

ziegfried · ‎04-06-2011

With regex="log" you're actually performing a field search on the field regex. You probably want to use the regex command instead.

index=test | regex _raw="log"

southeringtonp · ‎04-08-2011

Or, when you just need basic wildcard matches, you can skip the regex processing altogether and use "log*" instead of the regex "log.*"

Why doesn't this regex work?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms