Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

Splunk Regex Lab

Test and craft Splunk-valid regex patterns for field extraction.

Paste a raw event, highlight the exact text you want to match, and generate extraction-ready patterns for SPL, props.conf, or transforms.conf. You’ll get a search-time rex regex, a copy-ready props.conf stanza, and a transforms.conf stanza that maps capture groups to fields. The toggles let you loosen or tighten the match, generalize tokens, or switch to numbered captures when you want a more reusable transform.

How to use this regex builder

Select text in the sample event, then click “Build regex from selection” to generate outputs.

Toggle meanings

  • Case insensitive adds (?i) to match letter case.
  • Collapse whitespace replaces spaces with \s+ for flexible spacing.
  • Include context anchors to nearby key/value text so you match the right spot.
  • Generalize words swaps word literals for [A-Za-z]+ or \w+.
  • Exact match uses the literal selection without generalizing.
  • Wrap selection as named capture uses (?<field>...).
  • Extract all matches adds max_match=0 to rex.
  • Repeat matches in transforms adds REPEAT_MATCH = true.
  • Numbered captures in transforms uses $1/$2 with fixed keys.
  • Show match preview highlights matches below the button.

Field inputs

  • Field name 1/2/… are the output fields for named captures.
  • Sourcetype fills the props stanza [sourcetype::...].
  • Extraction name is the REPORT/transforms stanza name.

Tips

  • Select keys to capture keys, select values to capture values.
  • Use multiple selections to build multi-capture regex.
  • Press “Build regex from selection” after changing inputs.

Sample Event

Paste a raw event and select any portion (hold Ctrl / Cmd on Mac for multiple selections) to generate a Splunk regex.

Matching
Advanced options

Output

Rename the field names, sourcetype, and extraction name before you copy the snippets. Press “Build regex from selection” after any changes to update the outputs.

Pattern Preview

Live match highlights based on the current regex.

 
 
 
 
 
Splunk Output Snippets
 
 
 
Splunk rex snippet
   
 
 
props.conf snippet
   
 
 
transforms.conf snippet
   
 
 
Tip: adjust the pattern to capture groups with (?<field>...).
 
 
 
Splunk regex essentials
 
 
 
rex command
 
| rex field=_raw "(?<user>\\w+)"
 
Extracts named capture groups into fields.
 
 
 
match function
 
eval is_match=if(match(_raw, "error|fail"), 1, 0)
 
Boolean match evaluation in SPL.
 
 
 
props/transforms
 
REGEX = ^(?<time>[^ ]+) (?<host>\\S+)
 
Index-time extractions via REPORT- stanzas.
 
 
 
 
 
Common Splunk patterns
 
 
 
IP address
 
(?<ip>\\d{1,3}(?:\\.\\d{1,3}){3})
 
 
 
Email
 
(?<email>[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,})
 
 
 
UUID
 
(?<uuid>[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})
 
 
 
 
   
   Ad slot: bottom