Solved: search using a regex

alexl1 · ‎12-17-2013

hi, if I want to find events using a regex what is the syntax?

e.g if I want all events with either big or bag is there a way to use a regex like b.g

thanks,

alexl1 · ‎12-17-2013

I found it

regex _raw="b.g"

View solution in original post

grijhwani · ‎12-17-2013

Actually, to find answer specific example the regex would in fact be "b[ai]g". Your example would find any combination of three printable characters starting with "b" and ending with "g", and would also return such things as "b-g", "bog", "b4g", etc...

Furthermore, your example would match anything containing words with a similar sequence, such as "begin", "bogus", "abigail", etc...

If you want to limit to complete words only you will need the start/end of word markers (< and >), which in the context of the config file may also require escaping with "\", as in this example:

regex _raw="\<b[ai]g\>"

alexl1 · ‎12-17-2013

I found it

regex _raw="b.g"

search using a regex

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

search using a regex

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience