You can type regular expressions in text boxes for field values to extract fields from log events.
The expressions you type must use the Java regular expressions syntax.
Table 1.
Characters operators
| Regular Expression |
Description |
| \ |
Escapes a special character |
| \b |
Word boundary |
| \B |
Not a word boundary |
| \d |
One digit |
| \D |
One non-digit |
| \n |
New line |
| \r |
Return character |
| \s |
One space |
| \S |
Any character except white space |
| \t |
Tab |
| \w |
One alphanumeric or underscore character |
| \W |
One non alphanumeric or underscore character |
| |
|
For example, if you have the string 1234-5678 and apply the following regular expressions
| Regular Expression |
Result |
| \d |
1 |
| \d+ |
1234 |
| \w+ |
1234 |
| \S |
1234-5678 |
Table 2.
Quantifiers operators
| Regular Expression |
Description |
| . |
Any character except new line |
| * |
Zero or more characters as long as possible |
| ? |
Zero or one character OR as short as possible |
| + |
One or more |
| {<n>} |
Exactly <n> times |
| {<n>,<m>} |
<n> to <m> times |
For example, if you have the string aaaaa and apply the following regular expressions
| Regular Expression |
Result |
| . |
a |
| * |
aaaaa |
| .*? |
aaaaa |
| .{1} |
a |
| .{1,2} |
aa |
Table 3.
Combinations operators
| Regular Expression |
Description |
| .* |
Anything |
| .*? |
Anything as short as possible before |
For example, if you have the string a b 3 hi d hi and apply the following regular expressions
| Regular Expression |
Result |
| a.* hi |
b 3 hi d |
| a .*? hi |
b 3 |
Table 4.
Logic operators
| Regular Expression |
Description |
| ^ |
Beginning of a line OR not if in brackets |
| $ |
End of a line |
| () |
Encapsulation |
| [] |
One character in brackets |
| | |
OR |
| - |
Range |
| \A |
Beginning of a string |
| \Z |
End of a string |
For example, if you apply the following regular expressions
| Regular Expression |
Result |
| (hello)? |
Either contains hello OR does not contain hello |
| (a|b|c) |
a OR b OR c |
| [a-cp] |
a OR b OR c OR p |
| world$ |
Ends with world followed by nothing else |
Table 5.
Lookahead operators
| Regular Expression |
Description |
| ?= |
Positive lookahead (contains) |
| ?!= |
Negative lookahead (does not contain) |
For example, if you apply the following regular expressions
| Regular Expression |
Result |
| is (?=\w+)\w{2} primary |
is FT primary? false |
| opid=(?!WFU-1fecf8f9)\S+ |
WFU-3c9bb994 |
Table 6.
Additional Examples of Regular Expressions
| Regular Expression |
Description |
| [xyz] |
x, y, or z |
| (info|warn|error) |
info, warn, or error |
| [a-z] |
A lowercase letter |
| [^a-z] |
Not a lowercase letter |
| [a-z]+ |
One or more lowercase letters |
| [a-z]* |
Zero or more lowercase letters |
| [a-z]? |
Zero or one lowercase letter |
| [a-z] {3} |
Exactly three lowercase letters |
| [\d] |
A digit |
| \d+$ |
One or more digits followed by end of message |
| [0-5] |
A number from 0 to 5 |
| \w |
A word character (letter, digit, or underscore) |
| \s |
White space |
| \S |
Any character except white space |
| [a-zA-Z0-9]+ |
One or more alphanumeric characters |
| ([a-z] {2,} [0-9] {3,5}) |
Two or more letters followed by three to five numbers |
