Extract new fields using a regular expression. The regular expression can contain one or more named capturing groups. Fields with the names of the groups will be added to the events. Using " in already quoted strings requires escaping. This is sometimes necessary when writing regular expressions. See example 3. Humio uses JitRex which closely follows the syntax of re2j regular expressions, which has a syntax very close to Java’s regular expressions. Check out the syntax.
|regex||string||Yes||Specifies a regular expression. The regular expression can contain one or more named capturing groups. Fields with the names of the groups will be added to the events.|
|field||string||No||@rawstring||Specifies the field to run the regular expression against. Default is running against @rawstring|
|strict||bool||No||true||specifies if events not matching the regular expression should be filtered out of the result set. Strict is the default|
|flags||string||No||m||Specifies other regex flags m is multi line, i is ignore case, and d means dot (.) includes newline.|
|repeat||bool||No||false||If set to true, multiple matches yields multiple events|
regex is the unnamed parameter.
extract the domain name of the http referrer field. Often this field contains a full url, so we can have many different URLs from the same site. In this case we want to count all referrels from the same domain. this will add a field named refdomain to events matching the regular expression
regex("https?://(www.)?(?<refdomain>.+?)(/|$)", field=referrer) | groupby(refdomain, function=count()) | sort(field=_count, type=number, reverse=true)
extract the userid from the url field. New fields is stored in a field named userid
Shows how to escape " in the regular expression. This is necessary because the regular expresssion is itself in quotes. Extract the user and message from events like: ‘Peter: “hello”’ and ‘Bob: “good morning”’