-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrex-vs-regex.txt
47 lines (28 loc) · 2.13 KB
/
rex-vs-regex.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# 07th march 2018 inventsekar
# to understand the basic differences between rex and regex
rex - Description
------------------------
Use this command to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.
The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names. If a field is not specified, the regular expression is applied to the _raw field. Note: Running rex against the _raw field might have a performance impact.
When mode=sed, the given sed expression used to replace or substitute characters is applied to the value of the chosen field. If a field is not specified, the sed expression is applied to _raw. This sed-syntax is also used to mask sensitive data at index-time. Read about using sed to anonymize data in the Getting Data In Manual.
Use the rex command for search-time field extraction or string replacement and character substitution.
regex - Description
--------------------------
The regex command removes results that do not match the specified regular expression.
or,
this regex command prints out the results that match the specified regular expression.
#-------------------------------------------------------
# Normally you would use "rex".
# regex is, generally less-required than rex.
# so, as a beginner, if you are got confusion of which one to use "rex or regex", normally you would required to use "rex".
#-------------------------------------------------------
examples for rex and regex
------------------------------
Example for REX
-------------------
Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
Example for Regex
--------------------
Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8). This example uses a negative lookbehind assertion at the beginning of the expression.
... | regex _raw="(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"