Splunk Search

regex syntax clarification

drapkin11
Explorer

The following search returns results:
"context"

But this one does not:
regex "context"

And neither does this:
regex _raw="context"

+Why not?+

I am using Splunk 4.3.3 and according to http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Regex the previous 2 are valid and should return results.

I know that the word "context" is mentioned in my "_raw" field many times because I've exported a number of log events and found it there.

Tags (1)
0 Karma
1 Solution

jtacy
Builder

I believe the regex command needs to be part of a pipeline, otherwise the search is actually going to be for the exact term that you specify. So, this probably wouldn't work:

regex "context"

...but this should:

| regex "context"

Please let us know if this works, thanks!

View solution in original post

0 Karma

jtacy
Builder

I believe the regex command needs to be part of a pipeline, otherwise the search is actually going to be for the exact term that you specify. So, this probably wouldn't work:

regex "context"

...but this should:

| regex "context"

Please let us know if this works, thanks!

0 Karma

jtacy
Builder

Interesting! I didn't get that error but I tested on 5.0.2. Thanks for posting what worked for you!

0 Karma

drapkin11
Explorer

This didn't work: | regex "context"
Neither did this: * | regex "context"
In both cases I got this error: Error in 'SearchOperator:regex': Usage: regex (=|!=) )

But your answer led me to this which worked: * | regex _raw="context"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...