Using the Splunk rex and erex Commands with Field Extractions

Getting data into Splunk is hard enough. After uploading a CSV, monitoring a log file, or forwarding data for indexing, more often than not, the data does not look the way you’d expect it to. The large blocks of unseparated data that are produced when it’s ingested are hard to read and unable to be searched. If the data is not already separated into events, doing so may seem like an uphill battle. Using Splunk field extractions with rex and erex will allow you to parse and perform advanced search commands using fields. This is where field extraction comes in handy.

What is a field extraction?

A field extraction enables you to extract additional fields out of your data sources. This enables you to gain more insights from your data so you and other stakeholders can use it to make informed decisions about the business.

Field Extraction via the GUI

Field extractions in Splunk are the function and result of extracting fields from your event data for both default and custom fields. Field extractions allow you to organize your data in a way that lets you see the results you’re looking for.

How to Perform a Field Extraction [Example]

Pictured above is one of Splunk’s solutions to extracting searchable fields out of your data via Splunk Web. 

Step 1: Within the Search and Reporting App, users will see this button available upon search. After clicking, a sample of the file is presented for you to define from events the data. The image below demonstrates this feature of Splunk’s Field Extractor in the GUI, after selecting an event from the sample data.

Step 2: From here, you have two options: use a regular expression to separate patterns in your event data into fields, and the ability to separate fields by delimiter. Delimiters are characters used to separate values such as commas, pipes, tabs, and colons.

Step 3: If you have selected a delimiter to separate your fields, Splunk will automatically create a tabular view in order to allow you to see what all events properly parsed would look like compared to its _raw data pictured above.

Step 4: You can choose to rename all fields parsed by the selected delimiter. After saving, you will be able to search upon these fields, perform mathematical operations, and advanced SPL commands.

What are Rex and Erex Commands?

After extracting fields, you may find that some fields contain specific data you would like to manipulate, use for calculations, or display by themselves. You can use the Rex and Erex commands to do this.

What is the rex command?

The rex command can be used to create a new field out of any existing field which you have previously defined. This new field will appear in the field sidebar on the Search and Reporting app to be utilized like any other extracted field.

Command Syntax

| rex [field=<field>] (<regex-expression>)

In order to define what your new field name will be called in Splunk, use the following syntax:

| rex [field=<field>] (?<field_name>”regex”)

What is the erex Command?

The erex command allows users to generate regular expressions. Unlike Splunk’s rex and regex commands, erex does not require knowledge of Regex, and instead allows a user to define examples and counter-examples of the data that needs to be matched.

 | erex <field_name> examples="<example, <example>" counterexamples="<example,<example>"

Command Syntax

 | erex Port_Used examples=”Port 8000, Port 3182”

Start Using Field Extractions, Rex, and Erex Commands

A ton of incredible work can be done with your data in Splunk including extracting and manipulating fields in your data. But, you don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate. 

Cue Expertise on Demand, a service that can help with those Splunk issues and improvements to scale. EOD is designed to answer your team’s daily questions and breakthrough stubborn roadblocks. Book a free consultation today, our team of experts is ready to help.