rex command: Examples
The following are examples for using the SPL2 rex command.
1. Use a <sed-expression> to mask values
Use a <sed-expression> to match the regex to a series of numbers and replace the numbers with an anonymized string to preserve privacy. In this example the first 3 sets of numbers for a credit card are masked. The \d must be escaped in the expression using a back slash ( \ ) character.
... | rex field=ccnumber mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"2. Regular expressions with character classes
In this example, the clientip field contains IP addresses. You want to extract the IP class from the IP address. However, the expression uses the character class \d. You can specify the expression in one of two ways.
You can escape the backslash character by enclosing the string in quotation marks and adding another backslash to the character class, as shown in this example:
... | rex field=clientip "(?<ipclass>\\d+)"You can use a forward slash ( / ), instead of quotation marks, to enclose the expression that contains a character class. Here's an example:
... | rex field=clientip /(?<ipclass>\d+)/Either method returns a field called ipclass that contains the class portion of the IP address.
3. Pipeline examples
These examples show how to use the rex command in a pipeline.
Use regular expressions in pipelines to extract HTTP status codes
The following example used the rex command and a named capture group to create a pipeline that extracts HTTP status codes from the event body into a field named httpcode:
$pipeline = | from $source
rex field=_raw /(?P<httpcode>[1-5][0-9][0-9])/
| into $destination
Use regular expressions in pipelines to extract log messages numbers
This example extracts the log message number to a field named msg_num. The _raw field is dropped and the data is sent to an index named cisco_msg_num.
$pipeline = | from $source
| rex field=_raw /(?P<msg_num>(%ASA|%FTD)-\d+-\d+)/
| fields - _raw
| eval index="cisco_msg_num"
| into $destination
Use regular expressions in pipelines to extract fields
If the data values that you want to filter aren't stored in event fields, you can extract those values into fields by using the rex command.
The following example shows how to extract the type of payment method, either Credit Card or Game Card, and place those values into a field named card_type. Then the pipeline filters to return only the events where the card_type is Credit Card. The pipeline then replaces the credit card number with the string "<redacted>".
$pipeline = | from $source
| rex field=_raw /(?P<card_type>(Credit Card|Game Card))/
| where card_type = "Credit Card"
| eval _raw=replace(_raw, /[1-5][0-9]{15}/i, "<redacted>")
| into $destination
See also
rex command
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual