parse

The parse command extracts information from a text field using a regular expression and adds the extracted information to the search results. It uses Java regex patterns. For more information, see the Java regular expression documentation.

The rex and parse commands compared

The rex and parse commands both extract information from text fields using Java regular expressions with named capture groups. To compare the capabilities of the rex and parse commands, see the rex command documentation.

Syntax

The parse command has the following syntax:

parse <field> <pattern>

Parameters

The parse command supports the following parameters.

Regular expression

The regular expression pattern is used to match the whole text field of each document based on the Java regular expression syntax. Each named capture group in the expression becomes a new STRING field.

Example 1: Create a new field

The following query extracts the hostname from email addresses. The regex pattern .+@(?<host>.+) captures all characters after the @ symbol and creates a new host field. When parsing a null field, the result is an empty string:

source=accounts
| parse email '.+@(?<host>.+)'
| fields email, host

The query returns the following results:

Example 2: Override an existing field

The following query replaces the address field with only the street name, removing the street number. The regex pattern \d+ (?<address>.+) matches digits followed by a space, then captures the remaining text as the new address value:

source=accounts
| parse address '\d+ (?<address>.+)'
| fields address

The query returns the following results:

Example 3: Parse, filter, and sort address components

The following query extracts street numbers and names from addresses, then filters for street numbers greater than 500 and sorts them numerically. The regex pattern (?<streetNumber>\d+) (?<street>.+) captures the numeric part as streetNumber and the remaining text as street:

source=accounts
| parse address '(?<streetNumber>\d+) (?<street>.+)'
| where cast(streetNumber as int) > 500
| sort num(streetNumber)
| fields streetNumber, street

The query returns the following results:

Limitations

The parse command has the following limitations:

• Fields created by the parse command cannot be parsed again. For example, the following command does not function as intended:

    source=accounts | parse address '\d+ (?<street>.+)' | parse street '\w+ (?<road>\w+)'
  

• Fields created by the parse command cannot be overridden by other commands. For example, in the following query, the where clause does not match any documents because street cannot be overridden:

    source=accounts | parse address '\d+ (?<street>.+)' | eval street='1' | where street='1'
  

• The source text field used by the parse command cannot be overridden. For example, in the following query, the street field is not parsed correctly because address is overridden:

    source=accounts | parse address '\d+ (?<street>.+)' | eval address='1'
  

• Fields created by the parse command cannot be filtered or sorted after they are used in the stats command. For example, in the following query, the where clause does not function as intended:

    source=accounts | parse email '.+@(?<host>.+)' | stats avg(age) by host | where host=pyrami.com
  

• Fields created by the parse command do not appear in the final results unless the original source field is included in the fields command. For example, the following query does not return the parsed field host unless the source field email is explicitly included:

    source=accounts | parse email '.+@(?<host>.+)' | fields email, host