rex
import { Aside } from ‘@astrojs/starlight/components’;
The rex command is a more powerful alternative to parse for extracting fields from text using Java regular expressions. In addition to standard extraction, rex supports sed mode for text substitution, multiple match extraction, and offset tracking to record match positions.
Syntax
Section titled “Syntax”rex [mode=<mode>] field=<field> <pattern> [max_match=<int>] [offset_field=<string>]Arguments
Section titled “Arguments”| Argument | Required | Default | Description |
|---|---|---|---|
field | Yes | — | The text field to extract data from. Must be a string field. |
<pattern> | Yes | — | In extract mode: a Java regex with named capture groups (?<name>pattern). Group names must start with a letter and contain only letters and digits (no underscores). In sed mode: a sed-style pattern (see Sed mode syntax). |
mode | No | extract | extract creates new fields from named capture groups. sed performs text substitution on the field in place. |
max_match | No | 1 | Maximum number of matches to extract. When greater than 1, extracted fields are returned as arrays. Set to 0 for unlimited matches (capped by the configured system limit, default 10). |
offset_field | No | — | Valid in extract mode only. Name of an output field that records the character offset positions of each match. |
Sed mode syntax
Section titled “Sed mode syntax”In sed mode, the pattern uses one of the following forms:
| Syntax | Description |
|---|---|
s/<regex>/<replacement>/ | Substitute the first match of <regex> with <replacement>. |
s/<regex>/<replacement>/g | Substitute all matches (global flag). |
y/<from_chars>/<to_chars>/ | Transliterate characters (like tr). |
Backreferences (\1, \2, etc.) are supported in the replacement string.
rex vs. parse
Section titled “rex vs. parse”| Feature | rex | parse |
|---|---|---|
| Named capture groups | Yes | Yes |
| Multiple named groups per pattern | Yes | No |
Multiple matches (max_match) | Yes | No |
| Text substitution (sed mode) | Yes | No |
| Offset tracking | Yes | No |
| Requires full-string match | No | Yes |
Usage notes
Section titled “Usage notes”- In extract mode, each named capture group creates a new string field. When
max_match > 1, fields become arrays. - Unlike
parse,rexperforms partial matching — the pattern does not need to match the entire string. - Group names cannot contain underscores or special characters due to Java regex limitations. Use
(?<userName>...)not(?<user_name>...). - Non-matching patterns return an empty string for the extracted fields. Use
where length(field) > 0to filter non-matches. - Multiple
rexcommands can be chained to extract from different fields in the same query. - The
max_matchsystem limit defaults to10and can be configured via theplugins.ppl.rex.max_match.limitcluster setting. Requesting more than the limit results in an error.
Basic examples
Section titled “Basic examples”Extract HTTP method and path from Envoy access logs
Section titled “Extract HTTP method and path from Envoy access logs”Use two named capture groups to extract the HTTP method and request path from frontend-proxy (Envoy) log bodies:
source=logs-otel-v1*| rex field=body "(?<method>GET|POST|PUT|DELETE|PATCH)\s+(?<path>/[^\s]+)"| where length(method) > 0| head 20| body | method | path |
|---|---|---|
| [2026-02-26T18:04:21.634Z] “GET /api/data HTTP/1.1” 200 … | GET | /api/data |
| [2026-02-26T18:04:23.059Z] “POST /api/product-ask-ai-assistant/0PUK6V6EV0 HTTP/1.1” 200 … | POST | /api/product-ask-ai-assistant/0PUK6V6EV0 |
| [2026-02-26T18:04:27.084Z] “GET /api/products/6E92ZMYYFZ HTTP/1.1” 200 … | GET | /api/products/6E92ZMYYFZ |
Replace text using sed mode
Section titled “Replace text using sed mode”Mask IP addresses in Envoy access log bodies by substituting them with a placeholder:
source=logs-otel-v1*| where like(body, '%HTTP/1.1"%')| rex field=body mode=sed "s/\d+\.\d+\.\d+\.\d+/[REDACTED]/g"| head 2| body |
|---|
| [[REDACTED]] “GET /api/data/ HTTP/1.1” 308 - via_upstream - ”-” 0 9 3 2 ”-” “python-requests/2.32.5” … “[REDACTED]” frontend [REDACTED] … |
| [[REDACTED]] “GET /api/data HTTP/1.1” 200 - via_upstream - ”-” 0 211 140 140 ”-” “python-requests/2.32.5” … “[REDACTED]” frontend [REDACTED] … |
Extract Kafka broker component and ID
Section titled “Extract Kafka broker component and ID”Pull out the component name and broker ID from Kafka log bodies with bracketed prefixes:
source=logs-otel-v1*| where `resource.attributes.service.name` = 'kafka'| rex field=body "\[(?<component>\w+) id=(?<brokerId>\d+)\]"| where length(component) > 0| head 5| body | component | brokerId |
|---|---|---|
| [Broker id=1] Creating new partition __consumer_offsets-33 … | Broker | 1 |
| [RaftManager id=1] Completed transition to Leader … | RaftManager | 1 |
| [QuorumController id=1] The request from broker 1 … | QuorumController | 1 |
Track match positions with offset_field
Section titled “Track match positions with offset_field”Record where each capture group matched within the Envoy access log body:
source=logs-otel-v1*| rex field=body "(?<method>GET|POST|PUT|DELETE).*(?<statusCode>\d{3})" offset_field=matchpos| where length(method) > 0| head 2| body | method | statusCode | matchpos |
|---|---|---|---|
| [2026-02-26T18:04:21.634Z] “GET /api/data HTTP/1.1” 200 … | GET | 200 | method=29-31&statusCode=50-52 |
| [2026-02-26T18:04:23.059Z] “POST /api/product-ask-ai-assistant/… | POST | 200 | method=29-32&statusCode=81-83 |
Extended examples
Section titled “Extended examples”Chain rex commands to extract from multiple fields
Section titled “Chain rex commands to extract from multiple fields”Extract the first character of the severity text and the HTTP method/path from the body in a single query:
source=logs-otel-v1*| rex field=severityText "(?<severityChar>^.)"| rex field=body "(?<method>GET|POST|PUT|DELETE|PATCH)\s+(?<path>/\S+)"| where length(method) > 0| head 3| severityText | body | severityChar | method | path |
|---|---|---|---|---|
| INFO | [2026-02-26T18:04:21.634Z] “GET /api/data HTTP/1.1” 200 … | I | GET | /api/data |
| INFO | [2026-02-26T18:04:23.059Z] “POST /api/product-ask-ai-assistant/… | I | POST | /api/product-ask-ai-assistant/0PUK6V6EV0 |
| INFO | [2026-02-26T18:04:24.766Z] “GET / HTTP/1.1” 200 … | I | GET | / |
Aggregate endpoint traffic from Envoy access logs
Section titled “Aggregate endpoint traffic from Envoy access logs”Use rex to extract method and path from frontend-proxy log bodies, then aggregate to find the busiest endpoints:
source=logs-otel-v1*| where `resource.attributes.service.name` = 'frontend-proxy'| rex field=body "(?<method>GET|POST|PUT|DELETE|PATCH)\s+(?<path>/\S+)"| where length(method) > 0| stats count() as requests by method, path| sort - requests| head 20This extracts HTTP method and path from Envoy access log bodies, then counts requests per endpoint.
See also
Section titled “See also”- parse — simpler regex extraction when you need a single capture group
- grok — extract fields using predefined grok patterns for common formats
- patterns — automatically discover log patterns without writing regex
- PPL Functions Reference —
regexp_matchand other string functions for regex filtering