Regular Expression Flags

LogScale regular expressions can be modified by flags that change the default behaviour of the regular expression engine. Flags supported are:

  • d

    In a regular expression, the . (period) character matches any standard (non-escape) characters including newline. When using this flag, the . will match any character, including the newline.

    You can combine with the m flag so that . matches any character, but still allows ^ and $ to match the beginning end of lines within a multi-line string.

  • g

    Match the same expression multiple times within a single event. This can be used to extract repeated elements when assigning to a field:

    logscale
    company = /(?<orgname>\w+):/g

    Or when extracting multiple values to a named field:

  • i

    Case-insensitive searching, matching values regardless of the case of the characters.

  • m

    Standard processing of the value against a regular expression matches only a line. This treats the incoming string as having multiple lines, which means the ^ and $ special characters to match the start and end of the entire string, not individual lines within the string.

  • F

    Available: LogScale Regex Engine v2 v1.154.0

    Updating regaular expression with higher-performance for specific use cases. For more information, see LogScale Regular Expression Engines.

    Use the LogScale RegEx Engine v2 for regular expression matching in place of the standard engine.

Using Regular Expression Flags

Usage of flag within LogScale depends on whether you are using /regex/ or regex():

  • Using regex()

    You can use the flags argument to the regex() function to set the flags for a regular expression. For example:

    logscale
    regex("orgname",flags="i")

    Would enable case-insensitive matching so that the regular expression will match orgname, ORGNAME or orgName.

  • Using regex()

    You can use the flags argument to the array:regex() function to set the flags for a regular expression execution over an array. For example:

    logscale
    array:regex("host[]", "host1", flags="i")
  • Using /regex/

    You can append flags after the / delimiter. For example:

    logscale
    /orgname/i

    Would match orgname, ORGNAME or orgName, or any combination of upper and lower case letters for the word "orgname".

  • Using flags extension within /regex/

    Flag settings can be embedded into the regular expression using the (?flags) extension:

    logscale
    /(?i)orgname/

    Would match orgname, ORGNAME or orgName, or any combination of upper and lower case letters for the word "orgname".

    The flags can also be used to explicitly match a string, for example:

    logscale
    /(?i:orgname)extension/

    Applies the case insensitive flag only to orgname, while extension would remain case sensitive, matching orgnameextension, ORGNAMEextension or orgNameextension, but not orgNameExtension.