The Alchemist's Lab • Room 2

Regex Extraction

The **rex** command extracts fields on the fly using regular expressions (regex).

Use named capturing groups like `(?<fieldname>regex)` to pull out specific data into a new field.

Unlike `eval`, `rex` matches against raw data and extracts substrings.

Extracting an IP

| rex field=_raw "Failed password for .* from (?<src_ip>\\d+\\.\\d+\\.\\d+\\.\\d+)"

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Use rex to extract a field called "user" that follows the string "User: " in the _raw field.

Splunk Search Bar