Splunk regular expression modifier flags

I use Splunk on a daily basis at work and have created a lot of searches/reports/alerts etc. A fair number of these use regular expressions (the Splunk "rex" function) and today, I absolutely had to be able to use a modifier flag, something of a rarity for me in Splunk.

As it turns out, the regex docs in the Splunk rex documentation is not described (unless I somehow missed it) so I had to do a bit of digging to find out how to do this. The upshot is that it's very simple, for example:

rex field=hostname "(?Ui)^(?<year>\d{4})-(?<month>\d{1,2})-(?<date>\d{1,2}) (?<hours>\d{1,2}):(?<minutes>\d{1,2}):(?<seconds>\d{1,2}).*$"

The flags used in this example are in the leading (?Ui) before the caret (^):

U - ungreedy match
i - case-insensitive match

but you can use any PCRE modifier flags you want, e.g. multiline would be (?m).

Splunk uses PCRE regular expressions and there's a handy PCRE regex cheatsheet I found and also a really good regex tester.

Created: Wed, 12 Feb 2014 18:00:00 GMT
Last modified: Wed, 12 Feb 2014 18:00:00 GMT