rex
Description
Allows extracting values from a string using a regular expression.
Syntax
... | rex field = <field> "(?<new_field><reg-expression>*)" [max_match=<int>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
<field> | <field> | Field in which to search using the regular expression. |
<reg-expression> | <string> | Regular expression used to extract a value. |
<new_field> | <string> | New field in the event that receives the value extracted by the regular expression. |
Tags for new_field
The <new_field> parameter supports tags:
| Parameter | Syntax | Description |
|---|---|---|
_KEY_ | _KEY_<string> | The tag indicates the creation of a new field with a name derived from the value extracted by the regular expression. |
_VAL_ | _VAL_<string> | The tag indicates that the extracted value will be assigned to a field created by the _KEY_ tag. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
max_match | max_match=<int> | 1 | Maximum number of returned values. |
Query Examples
Example 1
In this example, user has a value of 127.0.0.1:5555, 192.168.0.1:2802, the ip field will get 127.0.0.1, and the port field will get 5555.
...
| rex field = user "(?<ip>[0-9.]+):(?<port>[0-9]*)"
Example 2
In this example, memberOf has a value of CN=John Smith, OU=Employees, DC=dc, the keysField field will get ["CN", "OU", "DC"], and the valuesField field will get ["John Smith", "Employees", "dc"].
...
| rex field = memberOf "(?<keysField>[a-zA-Z0-9_ ]*)=(?<valuesField>[a-zA-Z_ ]*)" max_match=0
Example 3
In this example, memberOf has a value of CN=John Smith, OU=Employees, DC=dc, the CN field will get John Smith.
...
| rex field = memberOf "(?<_KEY_keyField>[a-zA-Z0-9_ ]*)=(?<_VAL_valueField>([a-zA-Z_ ])*)" max_match=1