Stay organized with collections
Save and categorize content based on your preferences.
re.capture
re.capture(stringText, regex)
Description
Captures (extracts) data from a string using the regular expression pattern
provided in the argument.
This function takes two arguments:
stringText: the original string to search.regex: the regular expression indicating the pattern to search for.
The regular expression can contain 0 or 1 capture groups in parentheses. If the
regular expression contains 0 capture groups, the function returns the first
entire matching substring. If the regular expression contains 1 capture group,
it returns the first matching substring for the capture group. Defining two or
more capture groups returns a compiler error.
Param data types
STRING, STRING
Return type
STRING
Code samples
Example 1
In this example, if $e.principal.hostname contains "aaa1bbaa2" the following would be true, because the function
returns the first instance. This example has no capture groups.
"aaa1" = re.capture($e.principal.hostname, "a+[1-9]")
Example 2
This example captures everything after the @ symbol in an email. If the
$e.network.email.from field is test@google.com, the example returns
google.com. The following example contains one capture group.
"google.com" = re.capture($e.network.email.from , "@(.*)")
Example 3
If the regular expression does not match any substring in the text, the
function returns an empty string. You can omit events where no match occurs
by excluding the empty string, which is especially important when you are
using re.capture() with an inequality:
// Exclude the empty string to omit events where no match occurs.
"" != re.capture($e.network.email.from , "@(.*)")
// Exclude a specific string with an inequality.
"google.com" != re.capture($e.network.email.from , "@(.*)")
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003e\u003ccode\u003ere.capture\u003c/code\u003e extracts data from a string based on a provided regular expression pattern, supporting up to one capture group.\u003c/p\u003e\n"],["\u003cp\u003eThe function returns the entire matching substring if no capture groups are defined in the regular expression or the substring within the capture group if one is defined.\u003c/p\u003e\n"],["\u003cp\u003eIf the regular expression doesn't find a match, \u003ccode\u003ere.capture\u003c/code\u003e returns an empty string, allowing for the exclusion of non-matching events using inequality operators.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003ere.capture\u003c/code\u003e takes two arguments, the \u003ccode\u003estringText\u003c/code\u003e, and the \u003ccode\u003eregex\u003c/code\u003e, and both of these arguments must be of the type \u003ccode\u003eSTRING\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003ere.capture\u003c/code\u003e is supported in both \u003ccode\u003eRules\u003c/code\u003e and \u003ccode\u003eSearch\u003c/code\u003e environments, as specified in the supported in section.\u003c/p\u003e\n"]]],[],null,["### re.capture\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) [Search](/chronicle/docs/investigation/udm-search) \n\n re.capture(stringText, regex)\n\n#### Description\n\nCaptures (extracts) data from a string using the regular expression pattern\nprovided in the argument.\n\nThis function takes two arguments:\n\n- `stringText`: the original string to search.\n- `regex`: the regular expression indicating the pattern to search for.\n\nThe regular expression can contain 0 or 1 capture groups in parentheses. If the\nregular expression contains 0 capture groups, the function returns the first\nentire matching substring. If the regular expression contains 1 capture group,\nit returns the first matching substring for the capture group. Defining two or\nmore capture groups returns a compiler error.\n\n#### Param data types\n\n`STRING`, `STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\n##### Example 1\n\nIn this example, if `$e.principal.hostname` contains \"aaa1bbaa2\" the following would be true, because the function\nreturns the first instance. This example has no capture groups. \n\n \"aaa1\" = re.capture($e.principal.hostname, \"a+[1-9]\")\n\n##### Example 2\n\nThis example captures everything after the @ symbol in an email. If the\n`$e.network.email.from` field is `test@google.com`, the example returns\n`google.com`. The following example contains one capture group. \n\n \"google.com\" = re.capture($e.network.email.from , \"@(.*)\")\n\n##### Example 3\n\nIf the regular expression does not match any substring in the text, the\nfunction returns an empty string. You can omit events where no match occurs\nby excluding the empty string, which is especially important when you are\nusing `re.capture()` with an inequality: \n\n // Exclude the empty string to omit events where no match occurs.\n \"\" != re.capture($e.network.email.from , \"@(.*)\")\n\n // Exclude a specific string with an inequality.\n \"google.com\" != re.capture($e.network.email.from , \"@(.*)\")"]]
