Understanding the rex Operator Syntax

Extract all information after text1 and until text2 that matches the specified regex (regular expression) and assign to field1.

text1 and [text2] can be any points in an event—start and end of an event, specific string in an event (even if the string is in the middle of a word in the event), a specific number of characters from the start or end of an event, or a pattern.

To specify the next space in the event as text2, enter [^ ].

This is interpreted as “not space.” Therefore, entering a “not” results in the capture to stop at the point where the specified character, in this case, a space, is found in the event.

To specify [text2] to be the end of the line, enter [^$].

This is interpreted as "not end of line." Therefore, when an end-of-line in an event is encountered, the capture will stop at that point. The [^$] usage only captures one character if it is not an end-of-line character. However, by specifying [^$]* in a rex expression, the usage captures all characters until end-of-line.

You can also specify .* to capture all characters in an event instead of [^$]. Examples in this document, however, use [^$].

Any extra spaces within the double quotes of the rex expression are treated literally.

The characters that need to be escaped for rex expressions are the same as the ones for regular expressions. Refer to a regular expressions document of your choice to obtain a complete list of such characters.

Information captured by a rex expression can be used for further processing in a subsequent rex expression as illustrated in the following example in which an IP address is captured by the first rex expression and the network ID (assuming the first three bytes of the IP address represent it) to which the IP address belongs is extracted from the captured IP address:

logger | rex "(?<srcip>[^ ]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=srcip "(?<netid>\d{1,3}\.\d{1,3}\.\d{1,3})"

Note: If you are an experienced regular expression user, you can interpret the rex expression syntax as follows:

rex "(?<field1>regex)"

where the entire expression in the parentheses specifies a named capture. That is, the captured group is assigned a name, which can be referenced later for further processing. For example, in the following expression “srcip” is the name assigned to the capture.

failed | rex "(?<srcip>[^ ]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

Once named, use “srcip” for further processing as follows:

failed | rex "(?<srcip>[^ ]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | top srcip