You can type regular expressions in text boxes for field values to extract fields from log events.

The expressions you type must use the Java regular expressions syntax.

Characters operators

Regular Expression

Description

\

Escapes a special character

\b

Word boundary

\B

Not a word boundary

\d

One digit

\D

One non-digit

\n

New line

\r

Return character

\s

One space

\S

Any character except white space

\t

Tab

\w

One alphanumeric or underscore character

\W

One non alphanumeric or underscore character

For example, if you have the string 1234-5678 and apply the following regular expressions

Regular Expression

Result

\d

1

\d+

1234

\w+

1234

\S

1234-5678
Quantifiers operators

Regular Expression

Description

.

Any character except new line

*

Zero or more characters as long as possible

?

Zero or one character OR as short as possible

+

One or more

{<n>}

Exactly <n> times

{<n>,<m>}

<n> to <m> times

For example, if you have the string aaaaa and apply the following regular expressions

Regular Expression

Result

.

a

*

aaaaa

.*?

aaaaa

.{1}

a

.{1,2}

aa
Combinations operators

Regular Expression

Description

.*

Anything

.*?

Anything as short as possible before

For example, if you have the string a b 3 hi d hi and apply the following regular expressions

Regular Expression

Result

a.* hi

b 3 hi d

a .*? hi

b 3

Logic operators

Regular Expression

Description

^

Beginning of a line OR not if in brackets

$

End of a line

()

Encapsulation

[]

One character in brackets

|

OR

-

Range

\A

Beginning of a string

\Z

End of a string

For example, if you apply the following regular expressions

Regular Expression

Result

(hello)?

Either contains hello OR does not contain hello

(a|b|c)

a OR b OR c

[a-cp]

a OR b OR c OR p

world$

Ends with world followed by nothing else

Lookahead operators

Regular Expression

Description

?=

Positive lookahead (does not contain)

?!=

Negative lookahead (does not contain)

For example, if you apply the following regular expressions

Regular Expression

Result

is (?=\w+)\w{2} primary

is FT primary? false

opid=(?!WFU-1fecf8f9)\S+

WFU-3c9bb994

Additional Examples of Regular Expressions

Regular Expression

Description

[xyz]

x, y, or z

(info|warn|error)

info, warn, or error

[a-z]

A lowercase letter

[^a-z]

Not a lowercase letter

[a-z]+

One or more lowercase letters

[a-z]*

Zero or more lowercase letters

[a-z]?

Zero or one lowercase letter

[a-z] {3}

Exactly three lowercase letters

[\d]

A digit

\d+$

One or more digits followed by end of message

[0-5]

A number from 0 to 5

\w

A word character (letter, digit, or underscore)

\s

White space

\S

Any character except white space

[a-zA-Z0-9]+

One or more alphanumeric characters

([a-z] {2,} [0-9] {3,5})

Two or more letters followed by three to five numbers