Learn more about the Cortex Query Language regextract() function that uses regular expressions to assemble an array of matching substrings from a string.
Syntax
regextract (<string_value>, <pattern>)
Description
The regextract() function accepts a string and a regular expression, and it returns an array containing substrings that match the expression.
XQL uses RE2 for its regular expression implementation. Capturing multiple groups is unsupported. When using the (?i) syntax for case-insensitive mode in your query, this syntax should be added only once at the beginning of the inline regular expression.
Note
Capturing multiple groups is supported in Parsing Rules when using the regexcapture function.
Examples
Extract the Account Name from the action_evtlog_message. Use the arrayindex and split functions to extract the actual account name from the array created by regextract.
dataset = xdr_data
| fields action_evtlog_message as aem
| filter aem != null
| alter account_name =
arrayindex(
split(
arrayindex(
regextract(aem, "Account Name:\t\t.*\r\n")
,0)
, ":")
,1)
| filter account_name != null
| limit 10