Skip to content

Using Splunk Rex, Erex Commands & Field Extractions


Written by: Kinney Group | Last Updated:

February 2, 2024
Using Splunk Rex, Erex Commands & Field Extractions

Originally Published:

September 9, 2022

Getting data into Splunk is hard enough. After uploading a CSV, monitoring a log file, or forwarding data for indexing, more often than not, the data does not look the way you’d expect it to. The large blocks of unseparated data that are produced when it’s ingested are hard to read and unable to be searched. If the data is not already separated into events, doing so may seem like an uphill battle. 

You may be wondering how to parse and perform advanced search commands using fields. This is where field extraction comes in handy.

What is a field extraction?

A field extraction enables you to extract additional fields out of your data sources. This enables you to gain more insights from your data so you and other stakeholders can use it to make informed decisions about the business.

Field Extraction via the GUI

Field extractions in Splunk are the function and result of extracting fields from your event data for both default and custom fields. Field extractions allow you to organize your data in a way that lets you see the results you’re looking for.

How to Perform a Field Extraction [Example]

How to Perform a Field Extraction [Example] - GUI in Splunk
Figure 1 – Extracting searchable fields via Splunk Web
Pictured above is one of Splunk’s solutions to extracting searchable fields out of your data via Splunk Web. 

Step 1: Within the Search and Reporting App, users will see this button available upon search. After clicking, a sample of the file is presented for you to define from events the data. The image below demonstrates this feature of Splunk’s Field Extractor in the GUI, after selecting an event from the sample data.

How to Perform a Field Extraction [Example] - Splunk’s Field Extractor in the GUI
Figure 2 – Sample file in Splunk’s Field Extractor in the GUI
Step 2: From here, you have two options: use a regular expression to separate patterns in your event data into fields, and the ability to separate fields by delimiter. Delimiters are characters used to separate values such as commas, pipes, tabs, and colons.

How to Perform a Field Extraction [Example] - Regex delim in Splunk’s Field Extractor in the GUI
Figure 3 – Regular expressions vs delimiter in Splunk

How to Perform a Field Extraction [Example] - Delimiter in Splunk’s Field Extractor
Figure 4 – Delimiter in Splunk’s Field Extractor
Step 3: If you have selected a delimiter to separate your fields, Splunk will automatically create a tabular view in order to allow you to see what all events properly parsed would look like compared to its _raw data pictured above.

Step 4: You can choose to rename all fields parsed by the selected delimiter. After saving, you will be able to search upon these fields, perform mathematical operations, and advanced SPL commands.

Splunk Pro Tip: This type of work can be a considerable resource expense when executing it in-house. The experts at Kinney Group have several years of experience architecting, creating, and solving in Splunk. With Expertise on Demand, you’ll have access to some of the best and brightest minds to walk you through simple and tough problems as they come up.

Kinney Group Expertise on Demand

See for Yourself

New call-to-action

What are Rex and Erex Commands?

After extracting fields, you may find that some fields contain specific data you would like to manipulate, use for calculations, or display by themselves. You can use the Rex and Erex commands to do this.

What is the Rex command?

The Rex command can be used to create a new field out of any existing field which you have previously defined. This new field will appear in the field sidebar on the Search and Reporting app to be utilized like any other extracted field.

Rex Command Syntax

| rex [field=<field>] (<regex-expression>)

In order to define what your new field name will be called in Splunk, use the following syntax:

| rex [field=<field>] (?<field_name>”regex”)

What is the Erex Command?

The erex command allows users to generate regular expressions. Unlike Splunk’s rex and regex commands, erex does not require knowledge of Regex, and instead allows a user to define examples and counter-examples of the data that needs to be matched.

Erex Command Syntax

 | erex <field_name> examples="<example, <example>" counterexamples="<example,


Erex Command Syntax Example

 | erex Port_Used examples=”Port 8000, Port 3182”

Start Using Field Extractions, Rex, and Erex Commands

A ton of incredible work can be done with your data in Splunk including extracting and manipulating fields in your data. But, you don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate. 

Cue Expertise on Demand, a service that can help with those Splunk issues and improvements to scale. EOD is designed to answer your team’s daily questions and breakthrough stubborn roadblocks. Book a free consultation today, our team of experts is ready to help.

New call-to-action

Helpful? Don't forget to share this post!
Share on linkedin
Share on reddit
Share on email
Share on twitter
Share on facebook