Extract new fields using a regular expression. The regular expression can contain one or more named capturing groups. Fields with the names of the groups will be added to the events. Using " in already quoted strings requires escaping. This is sometimes necessary when writing regular expressions. Humio uses JitRex which closely follows the syntax of re2j regular expressions which has a syntax very close to Java's regular expressions. Check out the syntax.

ParameterTypeRequiredDefaultDescription
fieldstringfalse@rawstringSpecifies the field to run the regular expression against. Default is running against @rawstring.
flagsstringfalsemSpecifies other regex flags: m for multi-line; i for ignore case; and `d` means dot (.) includes newline.
limitnumberfalsefalseDefines the maximum number of events to produce (defaults to 100). A warning is produced if this limit is exceeded, unless the parameter is specified explicitly.
regexstringtrue Specifies a regular expression. The regular expression can contain one or more named capturing groups. Fields with the names of the groups will be added to the events.
repeatbooleanfalsefalseIf set to true, multiple matches yields multiple events.
strictbooleanfalsetrueSpecifies if events not matching the regular expression should be filtered out of the result set. Strict is the default.

When performing queries, the g option — used for global, as in repeating — is allowed in a query, but is not an acceptable option for the flags parameter. To use one of the parameters for multiple matches, you should instead set the repeat parameter to true.

Examples

Extract the domain name of the http referrer field. Often this field contains a full url, so we can have many different URLs from the same site. In this case we want to count all referrals from the same domain. This will add a field named refdomain to events matching the regular expression.

humio
regex("https?://(www.)?(?<refdomain>.+?)(/|$)", field=referrer)
| groupby(refdomain, function=count()) | sort(field=_count, type=number, reverse=true)

Extract the userid from the url field. New fields are stored in a field named userid.

humio
regex(regex=".*/user/(?<userid>\\S+)/pay", field=url)

Shows how to escape " in the regular expression. This is necessary because the regular expression is itself in quotes. Extract the user and message from events like: Peter: "hello" and Bob: "good morning".

humio
regex("(?<name>\\S+): \"(?<msg>\\S+)\"")

Note that the default flags for a regular expression is no flags, so that:

humio
@rawstring=/expression/

Is syntactically equivalent to:

humio
regex("expression")

Or:

humio
regex("expression", flags="")

When using flags:

humio
@rawstring=/expression/m

Is syntactically equivalent to:

humio
regex("expression", flags="m")