Solved: search using a regex

alexl1 · ‎12-17-2013

hi, if I want to find events using a regex what is the syntax?

e.g if I want all events with either big or bag is there a way to use a regex like b.g

thanks,

alexl1 · ‎12-17-2013

I found it

regex _raw="b.g"

View solution in original post

grijhwani · ‎12-17-2013

Actually, to find answer specific example the regex would in fact be "b[ai]g". Your example would find any combination of three printable characters starting with "b" and ending with "g", and would also return such things as "b-g", "bog", "b4g", etc...

Furthermore, your example would match anything containing words with a similar sequence, such as "begin", "bogus", "abigail", etc...

If you want to limit to complete words only you will need the start/end of word markers (< and >), which in the context of the config file may also require escaping with "\", as in this example:

regex _raw="\<b[ai]g\>"

alexl1 · ‎12-17-2013

I found it

regex _raw="b.g"

search using a regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation