Regex Matching
Regular expressions usage, with examples, supported flags, and syntax details.
The matches regex, search, where, in, !in, in~, and !in~ operators can use regex syntax to match against strings and regex literals.
To match against regex literals, the supported comparison operators are ==, =~, !=, and !~.
Regex Examples
The examples below focus on using regular expressions with the where operator.
Match on String Values
Match a corresponding regex literal, with wildcard. This is case-sensitive by default:
dataset=myDataset
| summarize event_count=count() by State
| where State == /K.*S/Case-insensitive version of the above query, using the /i flag:
dataset=myDataset
| summarize event_count=count() by State
| where State == /k.*s/iCase-insensitive, using the =~ operator instead of the /i flag:
dataset=myDataset
| summarize event_count=count() by State
| where State =~ /k.*s/Match on in Lists or Combined Targets
Mix and match string targets with regex literal targets:
dataset="cribl_internal_logs" method=*
| limit 1000
| where method in ("GET", /^po.*/i)Same query, using the in~ operator for implicit /i:
dataset="cribl_internal_logs" method=*
| limit 1000
| where method in~ ("GET", /^po.*/)An “or” query with | notation:
dataset="cribl_internal_logs" method=*
| limit 1000
| where method == /post|get/iA negation query:
dataset="cribl_internal_logs" method=*
| limit 1000
| where method != /post|get/iFind the string value bar in the field foo:
cribl foo = /bar/Regex Flags
Evaluation is case-sensitive by default. You can ignore case by using the /i flag or =~ operator, as shown in the examples below.
This operator supports any combination of the /i, /m, /s, and /u flags:
| Flag | Description |
|---|---|
i | Case-insensitive match. |
m | Multi-line mode: Allows ^ and $ to match next to newline characters. |
s | Single-line (“dotail”) mode: Allows . to match newline characters. |
u | Unicode (full) mode; Allows matching against 4-byte Unicode characters. |
Disambiguate Regex Characters
In some expressions, you might need to distinguish regex literal delimiters from division symbols. Consider this expression:
dataset=myDataset
| <query>
| where value == 10/20/5The /20/ portion could be a regular expression. But given the numeric characters surrounding it, Cribl Search interprets as division. However, a similar expression with non-numeric characters is ambiguous:
dataset=myDataset
| <query>
| where value == x/y/zHere, Cribl Search would try to interpret /y/ as a regular expression. You can disambiguate the expression as a series of divisions by inserting blank spaces, conceptually like this:
where value == x / y / zBut to insert the blank spaces within regex syntax, you’d use the \s character qualifier:
dataset=myDataset
| <query>
| where value == /x\s\/\sy\s\/\sz/In the above style of regular expression,
/must be escaped as\/.