Community:RegexSyntaxInSplunk

From Splunk Wiki

Jump to: navigation, search

Splunk uses the Perl Compatible Regular Expression library to implement its regular expressions. This project has its home at http://www.pcre.org . The code originally comes form the Exim mail server (MTA).

Most modern regex implementations have a great deal in common, so your best resources for these are generic internet or press sources which document them in an accessible fashion.

The following are some links to get started:

PCRE man page -- obviously the expressions itself are relevant, but programming with them is not, since Splunk is already written.

http://www.pcre.org/pcre.txt


Wikipedia page on the project, which identifies the (minor) differences between PCRE and perl 5.

http://en.wikipedia.org/wiki/PCRE

An introduction to perl regexes, generally, though this has the problem of focusing significantly on perl examples, rather than the expressions themselves.

http://perldoc.perl.org/perlretut.html

The authors of the PCRE library (the exim project) refer to oreilly documentation:

http://oreilly.com/catalog/9780596528126/

Many customers have been happy with the basic, dense presentation found in this cheatsheet:

http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/

You can test your regex at:

http://regexlib.com/RETester.aspx

Retrieved from "https://wiki.splunk.com/index.php?title=Community:RegexSyntaxInSplunk&oldid=45944"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk