Extract new fields using a regular expression. The regular expression can contain one or more named capturing groups. Fields with the names of the groups will be added to the events. Using " in already quoted strings requires escaping. This is sometimes necessary when writing regular expressions. See example 3. Humio uses JitRex which closely follows the syntax of re2j regular expressions, which has a syntax very close to Java’s regular expressions. Check out the syntax.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| regex | string | Yes | Specifies a regular expression. The regular expression can contain one or more named capturing groups. Fields with the names of the groups will be added to the events. | |
| field | string | No | @rawstring | Specifies the field to run the regular expression against. Default is running against @rawstring |
| strict | bool | No | true | specifies if events not matching the regular expression should be filtered out of the result set. Strict is the default |
| flags | string | No | m | Specifies other regex flags m is multi line, i is ignore case, and d means dot (.) includes newline. |
| repeat | bool | No | false | If set to true, multiple matches yields multiple events |
regex is the unnamed parameter.
extract the domain name of the http referrer field. Often this field contains a full url, so we can have many different URLs from the same site. In this case we want to count all referrels from the same domain. this will add a field named refdomain to events matching the regular expression
regex("https?://(www.)?(?<refdomain>.+?)(/|$)", field=referrer) | groupby(refdomain, function=count()) | sort(field=_count, type=number, reverse=true)
extract the userid from the url field. New fields is stored in a field named userid
regex(regex=".*/user/(?<userid>\S+)/pay", field=url)
Shows how to escape " in the regular expression. This is necessary because the regular expresssion is itself in quotes. Extract the user and message from events like: ‘Peter: “hello”’ and ‘Bob: “good morning”’
regex("(?<name>\S+): \"(?<msg>\S+)\"")