相关文章推荐
小百科
›
Regex Extract | Cribl Docs
文雅的开水瓶
11 月前
</noscript><div><a href="#" class="skipToContent_OuoZ">Skip to main content</a></div><nav class="navbar cribl-navbar"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewbox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"/></svg></button><a class="navbar__brand" href="/"><img class="navbar__logo" src="/img/page/cribl.logo.svg" alt="Cribl Docs"/></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/stream">Stream</a><a class="navbar__item navbar__link" href="/edge">Edge</a><a class="navbar__item navbar__link" href="/search">Search</a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/api">API</a><a href="https://community.cribl.io/" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link"><span>Q&A<svg width="13.5" height="13.5" aria-hidden="true" viewbox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"/></svg></span></a><a href="https://cribl.io/community" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link"><span>Community<svg width="13.5" height="13.5" aria-hidden="true" viewbox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"/></svg></span></a><div class="noTogglePadding_mSJp"> </div></div></div></nav><nav class="navbar app-navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"/><div class="navbar__items navbar__items--right"><div class="toggle_iYfV theme-toggle toggle_iQ2x toggleDisabled_xj38"><div class="toggleTrack_t-f2" role="button" tabindex="-1"><div class="toggleTrackCheck_mk7D"><span class="toggleIcon_pHJ9">🌜</span></div><div class="toggleTrackX_dm8H"><span class="toggleIcon_pHJ9">🌞</span></div><div class="toggleTrackThumb_W6To"/></div><input type="checkbox" class="toggleScreenReader_h9qa" aria-label="Switch between dark and light mode"/></div></div></div></nav><div class="main-wrapper docs-wrapper docs-doc-page"><div class="docPage_lDyR"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_i9tI" type="button"/><aside class="docSidebarContainer_0YBq"><div class="sidebar_LIo8"><nav class="menu thin-scrollbar menu_oAhv"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Introduction</span></a></div><ul class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Cribl Stream Docs Home</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/about"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">About Cribl Stream</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/basic-concepts"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Basic Concepts</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/getting-started-guide"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Getting Started Guide</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/distributed-guide"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Distributed Quick Start</span></a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/deploy-cloud"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Cribl.Cloud</span></a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/stream/deploy-crowdstream"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">CrowdStream</span></a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/deploy-planning"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Deploying Cribl Stream Software</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/deploy-reference"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Reference Architectures</span></a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/stream/quickconnect"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">QuickConnect</span></a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/projects"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Projects</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/licensing"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Administering</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/access-management"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Access Management</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/securing-auth-token"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Securing</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/monitoring"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Monitoring</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/event-model"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Working With Data</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent menu__link--active hasHref_WoYW" href="/stream/functions"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Functions</span></a></div><ul class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/auto-timestamp-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Auto Timestamp</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/aggregations-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Aggregations</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/cef-serializer-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">CEF Serializer</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/chain-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Chain</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/clone-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Clone</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/code-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Code</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/comment-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Comment</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/dns-lookup-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">DNS Lookup</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/drop-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Drop</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/dynamic-sampling-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Dynamic Sampling</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/eval-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Eval</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/event-breaker-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Event Breaker</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/flatten-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Flatten</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/geoip-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">GeoIP</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/grok-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Grok</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/json-unroll-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">JSON Unroll</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/lookup-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Lookup</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/mask-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Mask</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/numerify-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Numerify</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/parser-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Parser</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/publish-metrics-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Publish Metrics</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/redis-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Redis</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link menu__link--active active" aria-current="page" tabindex="0" href="/stream/regex-extract-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Regex Extract</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/regex-filter-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Regex Filter</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/rename-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Rename</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/rollup-metrics-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Rollup Metrics</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/sampling-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Sampling</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/serialize-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Serialize</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/suppress-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Suppress</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/tee-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Tee</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/trim-timestamp-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Trim Timestamp</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/unroll-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Unroll</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/xml-unroll-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">XML Unroll</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/prometheus-publisher-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Prometheus Publisher (Deprecated)</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/stream/reverse-dns-function"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Reverse DNS (deprecated)</span></a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/sources"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Sources</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/destinations"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Destinations</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/load-balancing"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Using Integrations</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--parent hasHref_WoYW" href="/stream/knowledge-library"><span class="menu__link--prefix master"> </span><span class="menu__link--label master">Knowledge Libraries</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/api-tutorials"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Reference</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/tips"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Better Practices / Usage Examples</span></a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--category hasHref_WoYW" href="/stream/known-issues"><span class="menu__link--prefix category"> </span><span class="menu__link--label category">Troubleshooting</span></a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/stream/videos"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Videos</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/stream/third-party-current-list"><span class="menu__link--prefix link"> </span><span class="menu__link--label link">Third-Party Credits</span></a></li></ul></nav></div></aside><main class="docMainContainer_r8cw"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_zHA2"><div class="docItemContainer_oiyr"><article><span class="theme-doc-version-badge badge badge--secondary">Version: <!-- -->4.3</span><div class="tocCollapsible_aw-L theme-doc-toc-mobile tocMobile_Tx6Y"><button type="button" class="clean-btn tocCollapsibleButton_zr6a">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1 class="anchor anchorWithStickyNavbar_yP2J">Regex Extract<a aria-hidden="true" class="hash-link" href="#" title="Direct link to heading"></a></h1></header><p>The Regex Extract Function extracts fields using regex named groups. (In Splunk, these will be index-time fields). Fields that start with <code>__</code> (double underscore) are special in <!-- -->Cribl Stream<!-- -->. They are ephemeral: they can be used by any Function downstream, but <strong>will not</strong> be added to events, and <strong>will not</strong> exit the Pipeline.</p><h2 class="anchor anchorWithStickyNavbar_yP2J" id="usage">Usage<a aria-hidden="true" class="hash-link" href="#usage" title="Direct link to heading"></a></h2><p><strong>Filter</strong>: Filter expression (JS) that selects data to feed through the Function. Defaults to <code>true</code>, meaning it evaluates all events.</p><p><strong>Description</strong>: Simple description of the Function. Defaults to empty.</p><p><strong>Final</strong>: If toggled to <code>Yes</code>, stops feeding data to the downstream Functions. Defaults to <code>No</code>.</p><p><strong>Regex</strong>: Regex literal. Must contain named capturing groups, e.g.: <code>(?<foo>bar)</code>. Can contain special <code>_NAME_N</code> and <code>_VALUE_N</code> capturing groups, which extract <strong>both the name and value</strong> of a field, e.g.: <code>(?<_NAME_0>[^\s=]+)=(?<_VALUE_0>[^\s]+)</code>. Defaults to empty. See <a href="#examples">Examples</a> below.</p><p><strong>Additional regex</strong>: Click <strong>Add Regex</strong> to chain extra regex conditions.</p><p><strong>Source field</strong>: Field on which to perform regex field extraction. Nested addressing is supported. Defaults to <code>_raw</code>. </p><h3 class="anchor anchorWithStickyNavbar_yP2J" id="advanced-settings">Advanced Settings<a aria-hidden="true" class="hash-link" href="#advanced-settings" title="Direct link to heading"></a></h3><p><strong>Max exec</strong>: The maximum number of times to apply the <strong>Regex</strong> to the source field when the global flag is set, or when using <code>_NAME_N</code> and <code>_VALUE_N</code> capturing groups. Named capturing groups will always use a value of <code>1</code>. Defaults to <code>100</code>.</p><p><strong>Field name format expression</strong>: JavaScript expression to format field names when <code>_NAME_n</code> and <code>_VALUE_n</code> capturing groups are used. E.g., to append <code>XX</code> to all field names, use: <code>`${name}_XX`</code> (backticks are literal). If not specified, names will be sanitized using regex: <code>/^[_0-9]+|[^a-zA-Z0-9_]+/g</code>. The <strong>original</strong> field name is in the global <code>name</code>. You can access other fields' values via <code>__e.<fieldName></code>.</p><p><strong>Overwrite existing fields</strong>: Whether to overwrite existing event fields with extracted values. If set to <code>No</code> (the default), existing fields will be converted to an array. If toggled to <code>Yes</code>, Regex Extract will create array fields if applied multiple times, or if fields exist. (E.g., if <code>src_ip</code> is extracted in an input Pipeline where it is assigned a value of <code>10.1.2.2</code>, and is also in a processing Pipeline with a value of <code>10.2.3.3</code>, then the resulting field is <code>["10.1.2.2", "10.2.3.3"]</code>.)</p><h2 class="anchor anchorWithStickyNavbar_yP2J" id="examples">Examples<a aria-hidden="true" class="hash-link" href="#examples" title="Direct link to heading"></a></h2><h3 class="anchor anchorWithStickyNavbar_yP2J" id="example1-singlefield-from-simple-event">Example 1: Single Field from Simple Event<a aria-hidden="true" class="hash-link" href="#example1-singlefield-from-simple-event" title="Direct link to heading"></a></h3><p>Assume a simple event that looks like this: <code>metric1=23 metric2=42 dc=23 abc=xyz</code></p><p>Extract <strong>only</strong> the <code>metric1</code> field: </p><p><strong>Regex</strong>: <code>metric1=(?<metric1>\d+)</code> <strong>Result</strong>: <code>metric1:"23"</code> </p><h3 class="anchor anchorWithStickyNavbar_yP2J" id="example-2">Example 2: Key‑Value Pairs from Multiple Fields<a aria-hidden="true" class="hash-link" href="#example-2" title="Direct link to heading"></a></h3><p>Use this sample:</p><div class="codeBlockContainer_J+bg"><div class="codeBlockContent_csEI"><pre tabindex="0" class="prism-code language-undefined codeBlock_rtdJ thin-scrollbar" style="color:var(--prism-plain-color);background-color:var(--prism-plain-backgroundColor)"><code class="codeBlockLines_1zSZ"><span class="token-line" style="color:var(--prism-plain-color)"><span class="token plain">rec_type=71 rec_type_simple=RNA dest_port=443 snmp_out=0 netflow_src="00000000-0000-0000-0000-000000000000" ssl_server_cert_status="Not Checked" dest_ip=172.20.115.42 sec_intel_event=No mac_address=00:00:00:00:00:00 dest_bytes=3746 dest_autonomous_system=0 security_context=00000000000000000000000000000000 src_port=41925 web_app=Unknown url=https://outlook.ssg.petsmart.com url_reputation="Risk unknown" first_pkt_sec=1543598207 vlan_id=0 ssl_flow_error=0 ssl_actual_action=Unknown has_ipv6=1 monitor_rule_6=N/A monitor_rule_7=N/A monitor_rule_4=N/A monitor_rule_5=N/A monitor_rule_2=N/A monitor_rule_3=N/A ips_count=0 monitor_rule_1=N/A dest_tos=0 src_ip=192.168.228.5 referenced_host="" iface_ingress=DMZ3.30 monitor_rule_8=0 event_subtype=1 fw_rule_reason=N/A event_type=1003 ssl_version=Unknown dns_resp_id=0 sensor=ssg-inet-fpr-ftd-fw01 sec_zone_egress=Inside src_tos=0 client_app="SSL client" snmp_in=0 user=Unknown ssl_flow_messages=0 iface_egress=inside http_referrer="" src_pkts=0 event_desc="Flow Statistics" event_usec=0 client_version="" fw_rule_action=Allow ssl_cert_fingerprint=0000000000000000000000000000000000000000 ssl_url_category=0 file_count=0 sec_zone_ingress=DMZ3 instance_id=6 src_bytes=1013 src_ip_country=unknown ssl_cipher_suite=TLS_NULL_WITH_NULL_NULL user_agent="" http_response=0 src_mask=0 dest_mask=0 sec_intel_ip=N/A netbios_domain="" tcp_flags=0 dns_rec_id=0 fw_policy="SSG INET Access Control Policy" last_pkt_sec=1543598207 legacy_ip_address=0.0.0.0 ip_proto=TCP connection_id=21378 dest_pkts=0 app_proto=HTTPS ssl_flow_status=Unknown ssl_rule_id=0 ssl_session_id=0000000000000000000000000000000000000000000000000000000000000000 dns_query="" rec_type_desc="Connection Statistics" url_category=Unknown fw_rule="Outbound Web" src_autonomous_system=0 ssl_flow_flags=0 ip_layer=0 event_sec=1543598205 ssl_ticket_id=0000000000000000000000000000000000000000 sinkhole_uuid=00000000-0000-0000-0000-000000000000 dest_ip_country=unknown ssl_expected_action=Unknown num_ioc=0 dns_ttl=0 ssl_policy_id=00000000000000000000000000000000 ssl_server_name=""</span><br/></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_M3SB clean-btn">Copy</button></div></div><p>Use a regex to extract <strong>all</strong> k=v pairs, then use <strong>Field Name Format Expression</strong> to append an <code>_XX</code> suffix to each extracted field:</p><p><strong>Regex</strong>: <code>(?<_NAME_0>[\w-]+)="?(?<_VALUE_0>(?<=")[^"]*|\S*)</code> <strong>Field Name Format Expression</strong>: <code>${name}_XX</code></p><p><strong>Results</strong>:</p><figure class="cribl-image"><div style="width:100%"><div><a class="clickable_zZ3o"><img class="image_y29c lightTheme_Dh1L content-image" src="/assets/images/ex-2-final-redacted-5783cdd9eb007b93926f71cddff09c6e.png"/><img class="image_y29c darkTheme_g2wh content-image" src="/assets/images/ex-2-final-redacted-5783cdd9eb007b93926f71cddff09c6e.png"/></a><div tabindex="1" class="modal_O09L hidden_xYRH"><img src="/assets/images/ex-2-final-redacted-5783cdd9eb007b93926f71cddff09c6e.png"/></div></div></div><figcaption>Example 2 results</figcaption></figure><h3 class="anchor anchorWithStickyNavbar_yP2J" id="example-3-multistage-extraction-complexevents">Example 3: Multi‑Stage Extraction, Complex Events<a aria-hidden="true" class="hash-link" href="#example-3-multistage-extraction-complexevents" title="Direct link to heading"></a></h3><p>This example builds on the syntax in <a href="#example-2">Example 2</a>, to tackle a more complex event structure. </p><p>In the right <strong>Sample Data</strong> pane, click <strong>Paste</strong> and insert the following sample:</p><div class="codeBlockContainer_J+bg language-title="Sample"><div class="codeBlockContent_csEI title="Sample"><pre tabindex="0" class="prism-code language-title="Sample codeBlock_rtdJ thin-scrollbar" style="color:var(--prism-plain-color);background-color:var(--prism-plain-backgroundColor)"><code class="codeBlockLines_1zSZ"><span class="token-line" style="color:var(--prism-plain-color)"><span class="token plain"><134>1 2020-12-22T17:06:08Z CORP_INT_NLB CheckPoint 18160 - [action:"Accept"; conn_direction:"Internal"; flags:"4606212"; ifdir:"inbound"; ifname:"bond2.1025"; logid:"0"; loguid:"{0x5fe25889,0x0,0x80ad57cd,0xeb91c0c3}"; origin:"192.168.20.54"; originsicname:"CN=TST32-VSX0-FW-DC-01_tst302-shd,O=CORP-SEC-SHRD-CMA..t7xpcz"; sequencenum:"3"; time:"1608656768"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={15E4B45A-663B-5B49-BD59-CD9B9F21AA16};mgmt=SHRDFW01CON;date=1608236862;policy_name=TEST-SHRD-POL\]"; dst:"192.168.79.20"; log_delay:"1608656768"; layer_name:”TEST-SHRD-POL Security"; layer_uuid:"e914c2f3-d7bd-4a77-8e7a-7a5e403447aa"; match_id:"1"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"001ab86d-d201-4b61-9b64-0fede1a9f059"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"45519"; service:"123"; service_id:"ntp-udp"; src:"192.168.79.22"; ]</span><br/></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_M3SB clean-btn">Copy</button></div></div><p>This event is from a CheckPoint Firewall CMA system. With this type of event structure, properly extracting each event field into a separate metadata field requires two-stage processing. So we'll use two Regex Extract Functions. </p><p>The first Regex Function splits the event to separate the actual data from the header information. We'll split after the <code>CheckPoint 18160</code> string, by capturing everything between the <code>[</code> and <code>]</code>:</p><p><strong>Regex</strong>: <code>\[(?<__fields>.*)\]</code>
推荐文章