The rex operator is a powerful operator that enables you to extract information that matches a specified regular expression and assigns it to a field, whose field name you specify. You can also specify an optional start point and an end point in the rex expression between which the information matching the regular expression is searched.
When a rex expression is included in a search query, it must be preceded by a basic search query that finds events from which the rex expression will extract information. For example: failed | rex “(?<srcip>[^ ]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})”
The following topics describe the rex search operator in detail.