regex vs where match()

yuanliu · ‎05-25-2021

I've never used |regex, but use |where match() quite often. Is the former just syntax sugar or is there any difference?

isoutamo · ‎05-25-2021

Basically both are doing the same thing. You should use job inspector to check which one perform better for your case.

yuanliu · ‎05-26-2021

Is this confirmation that the implementation is different? The question is about language (as opposed to efficiency or suitability for a given use case), and I feel is an answerable one, unlike a question about, say, two seemingly equivalent regular expressions.

aasabatini · ‎05-25-2021

Hi @yuanliu

did you mean rex command?

rex command give you the possibility to extract field in search time

https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Rex

eval match it's just to put regex on condition

anyway the scope are different

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

yuanliu · ‎05-25-2021

@aasabatini wrote:
did you mean rex command?

Not rex. regex.

regex vs where match()

regex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

regex vs where match()

regex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25