-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathrex-vs-regex.txt
57 lines (40 loc) · 2.77 KB
/
rex-vs-regex.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Edit 1 - 07th march 2018 inventsekar
# to understand the basic differences between rex and regex
# Edit 2 - little editings - 24th May 2020
rex - Description
------------------------
- "rex" is the short form of "regular expression".
- This command is used for "search time field extractions".
- when using "mode=sed", we can do search and replace tasks.
This sed-syntax is also used to mask sensitive data at index-time.
For example, hiding the credit card / SSN numbers while reading credit card / SSN transaction logs.
(Read about using sed to anonymize data in the Getting Data In Manual).
- Note: Running rex against the _raw field might have a performance impact.
There are six broad types for all of the search commands:
distributable streaming, centralized streaming, transforming, generating, orchestrating and dataset processing.
These types are not mutually exclusive. A command might be streaming or transforming, and also generating.
- A streaming command operates on each event as the event is returned by a search. (ex: head, eval, lookup)
- A generating command generates events or reports from one or more indexes without transforming the events(ex: eventcount, makeresults)
- A transforming command orders the results into a data table(ex: addtotals, stats, rare, table)
- An Orchestrating command control some aspect of how a search is processed. They do not directly affect the final result set of the search. For example, you might apply an orchestrating command to a search to enable or disable a search optimization that helps the overall search complete faster.
- A dataset processing command is a command that requires the entire dataset before the command can run.
regex - Description
--------------------------
The regex command removes results that do not match the specified regular expression.
or,
this regex command prints out the results that match the specified regular expression.
#-------------------------------------------------------
# Normally you would use "rex".
# regex is, generally less-required than rex.
# so, as a beginner, if you are got confusion of which one to use "rex or regex", normally you would required to use "rex".
#-------------------------------------------------------
Examples for rex and regex
------------------------------
Example for REX
-------------------
Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
Example for Regex
--------------------
Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8). This example uses a negative lookbehind assertion at the beginning of the expression.
... | regex _raw="(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"