rex

The rex command lets you use regular expressions to create fields. It can work against any existing field but, by default, will use the field _raw. Let's try one of the patterns that we wrote in our short regular expression primer:

sourcetype="impl_splunk_gen" | rex 
"ip=(?P<subnet>\d+\.\d+\.\d+)\.\d+" | chart values(subnet) by 
date_minute

This would create a table like this:

With the addition of the field argument, we can work against the ip field that is already being created automatically from the name=value pair in the event:

sourcetype="impl_splunk_gen" | rex field=ip "(?P<subnet>.*)\."| 
 chart values(subnet) by date_minute 

This will create exactly the same result as the previous example.