Regex Common Patterns

regex reference splunk wireshark grep


Quick Reference

Metacharacters

CharMeaningExample
.Any single charactera.c → abc, aXc
*Zero or more of previousab*c → ac, abc, abbc
+One or more of previousab+c → abc, abbc (not ac)
?Zero or one of previouscolou?r → color, colour
^Start of line^Error
$End of line\.log$
\Escape special char\. matches literal dot
``OR
()Grouping/capture(ab)+ → ab, abab
[]Character class[aeiou]
{}Quantifiera{2,4} → aa, aaa, aaaa

Character Classes

PatternMeaning
[abc]a, b, or c
[^abc]Not a, b, or c
[a-z]Lowercase letter
[A-Z]Uppercase letter
[0-9]Digit
[a-zA-Z0-9]Alphanumeric

Shorthand Classes

PatternEquivalentMeaning
\d[0-9]Digit
\D[^0-9]Non-digit
\w[a-zA-Z0-9_]Word character
\W[^a-zA-Z0-9_]Non-word character
\s[ \t\n\r\f]Whitespace
\S[^ \t\n\r\f]Non-whitespace

Quantifiers

PatternMeaning
*0 or more
+1 or more
?0 or 1
{n}Exactly n
{n,}n or more
{n,m}Between n and m
*?0 or more (non-greedy)
+?1 or more (non-greedy)

Network Patterns

IPv4 Address

# Basic (allows invalid octets like 999)
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
 
# Strict (valid octets 0-255)
\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
 
# With CIDR
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}

IPv6 Address (Simplified)

# Basic pattern (not comprehensive)
(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}
 
# With :: compression (simplified)
(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}

MAC Address

# Colon-separated
([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}
 
# Dash-separated
([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}
 
# Cisco format (xxxx.xxxx.xxxx)
([0-9a-fA-F]{4}\.){2}[0-9a-fA-F]{4}
 
# Any separator
([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}

Port Number

# Any port (1-65535)
\b([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])\b
 
# Simplified (allows invalid)
\b\d{1,5}\b

URL

# Basic HTTP/HTTPS
https?:\/\/[^\s]+
 
# More complete
https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)

Domain Name

# Basic
[a-zA-Z0-9][-a-zA-Z0-9]*\.[a-zA-Z]{2,}
 
# With subdomains
(?:[a-zA-Z0-9][-a-zA-Z0-9]*\.)+[a-zA-Z]{2,}

Log Parsing Patterns

Timestamp Formats

# ISO 8601: 2024-01-15T10:30:45Z
\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})
 
# Common log: 15/Jan/2024:10:30:45 +0000
\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}
 
# Syslog: Jan 15 10:30:45
[A-Za-z]{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}
 
# US format: 01/15/2024 10:30:45
\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}

Log Levels

# Common levels
\b(DEBUG|INFO|WARN(?:ING)?|ERROR|FATAL|CRITICAL)\b
 
# Case insensitive flag needed for: debug, info, etc.

HTTP Log (Combined Format)

# Extract IP, method, path, status, size
^(\S+) \S+ \S+ \[([^\]]+)\] "(\S+) (\S+) [^"]*" (\d{3}) (\d+|-)

Security / Data Patterns

Email Address

[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}

Credit Card (Basic)

# Visa
4[0-9]{12}(?:[0-9]{3})?
 
# MasterCard
5[1-5][0-9]{14}
 
# Any 16-digit (with optional separators)
\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b

SSN (US)

\b\d{3}-\d{2}-\d{4}\b

UUID

[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}

API Key / Token (Generic)

# Hex string 32+ chars
[0-9a-fA-F]{32,}
 
# Base64-ish (JWT, API keys)
[A-Za-z0-9_-]{20,}

Splunk-Specific

# Extract IP addresses
| rex field=_raw "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 
# Extract key=value pairs
| rex field=_raw "(?<key>\w+)=(?<value>[^\s]+)"
 
# Extract quoted strings
| rex field=_raw "\"(?<message>[^\"]+)\""
 
# Multiple capture groups
| rex field=_raw "src=(?<src>\S+)\s+dst=(?<dst>\S+)"

Wireshark Display Filters

Note: Wireshark uses its own filter syntax, not pure regex. For regex matching:

# Frame contains regex match
frame matches "pattern"

# HTTP URI matches
http.request.uri matches ".*\.php"

# Follow TCP stream containing pattern
tcp contains "password"

grep / ripgrep

# Basic extended regex
grep -E 'pattern' file
 
# Case insensitive
grep -i 'error' file
 
# Show line numbers
grep -n 'pattern' file
 
# Invert match
grep -v 'DEBUG' file
 
# Multiple patterns
grep -E 'error|warning|critical' file
 
# ripgrep (faster)
rg 'pattern' file
rg -i 'error'           # case insensitive
rg -t py 'import'       # file type filter

Lookahead / Lookbehind

PatternNameMeaning
(?=...)Positive lookaheadFollowed by
(?!...)Negative lookaheadNot followed by
(?<=...)Positive lookbehindPreceded by
(?<!...)Negative lookbehindNot preceded by

Examples:

# Password followed by = (but don't capture =)
password(?=\s*=)
 
# Number NOT followed by px
\d+(?!px)
 
# Value after "price: "
(?<=price:\s)\d+
 
# Word not preceded by "un"
(?<!un)happy

Common Gotchas

IssueProblemFix
Greedy matching".*" matches too muchUse ".*?" (non-greedy)
Unescaped dots. matches any charUse \. for literal dot
AnchorsPattern matches mid-stringUse ^pattern$
Case sensitivityMissing matchesUse case-insensitive flag
Special chars[, ], (, etc.Escape with \

Testing Regex

  • regex101.com - Detailed explanation, multiple flavors
  • regexr.com - Visual, good for learning
  • debuggex.com - Visual railroad diagrams