Splunk Regex Cheat Sheet



Usage of Splunk commands : REGEX

Usage of Splunk commands : REGEX is as follows

  • Regex command removes those results which don’t match with the specified regular expression.
  • If we don’t specify any field with the regex command then by default the regular expression applied on the _raw field.

Regular expression tester with syntax highlighting, explanation, cheat sheet for PHP/PCRE, Python, GO, JavaScript, Java. Features a regex quiz & library. Regex101: build, test, and debug regex. This is especially important, as Splunk configuration files are all editable text files. With some well-developed VI skills, it makes it quite easy to configure or reconfigure your Splunk installs, especially those installs such as the Universal Forwarder, which does not have a Splunk Web UI. So here: is the cheat sheet I use. 9.3k members in the Splunk community. SANS Cheat Sheet to Cheat Sheets. Manually do field extractions with a custom regex that I made but the sourcetype.

Find below the skeleton of the usage of the command “regex” in SPLUNK :

regex [ <field name> = < regex – expression> ] [ <field name> != < regex – expression> ]

Example 1:

index=”ip” sourcetype=”iplog”
| regex IP = “(?<!d)10.d{1,3}.d{1,3}.d{1,3}(?!d)”
Cheat

Splunk Regex Cheat Sheet Template

| table IP
| dedup IP

Result:

Explanation:

In the above query “IP” is the existing field name in “ip” index and sourcetype name is “iplog” . By the “regex” command we have taken only the class A private ip addresses (10.0.0.0 to 10.255.255.255 ) from the “IP” field . Then by the “table” command we have taken the “IP” field and by the “dedup” command we have removed the duplicate values.

*********************************************************************************

Example 2:

index=”ip” sourcetype=”iplog”
| regex IP != “(?<!d)10.d{1,3}.d{1,3}.d{1,3}(?!d)”
Regex cheat sheet pdf
| table IP
| dedup IP
Result:

Explanation:

In the above query “IP” is the existing field name in “ip” index and sourcetype name is “iplog” . By the “regex” command we have taken the ip addresses which are not class A private ip addresses (10.0.0.0 to 10.255.255.255 ) from the “IP” field. Here we have used “!” sign for not matching the specified regex-expression . Then by the “table” command we have taken the “IP” field and by the “dedup” command we have removed the duplicate values.

**********************************************************************************

Example 3:

index=”ip” sourcetype=”iplog”
| regex “(?<!d)10.d{1,3}.d{1,3}.d{1,3}(?!d)”

Result:

Explanation:

Splunk regex cheat sheet freeSplunk regex cheat sheet

C# Regex Cheat Sheet

In the above query “ip” is the index and sourcetype name is “iplog” . By the “regex” command we have taken only the class A private ip addresses (10.0.0.0 to 10.255.255.255 ) . Here we don’t specify any field with the “regex” command so by default the regex-expression will be applied to the “_raw” field.

Now you can effectively utilize “regex” command in your daily use to meet your requirement !!

Splunk Regex Cheat Sheet Pdf

Hope you are now comfortable in : Usage of Splunk commands : REGEX

Regex Cheat Sheet Powershell

HAPPY SPLUNKING !!





Comments are closed.