Merge pull request #32 from fukusuket/add-re-midifier-description

doc: add `re` modifier description
SigmaHQ · Dec 29, 2023 · 29d5153 · 29d5153
2 parents ebf3ef8 + 7a003b0
commit 29d5153
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/docs/basics/modifiers.md b/docs/basics/modifiers.md
@@ -41,6 +41,7 @@ Below is a list of available field modifiers.
     <li><a href="#gte"><code>gte</code></a></li>
     <li><a href="#lt"><code>lt</code></a></li>
     <li><a href="#lte"><code>lte</code></a></li>
+    <li><a href="#re"><code>re</code></a></li>
     <li><a href="#startswith"><code>startswith</code></a></li>
     <li><a href="#wide"><code>utf16</code> / <code>utf16le</code> / <code>utf16be</code> / <code>wide</code></a></li>
     <li><a href="#windash"><code>windash</code></a></li>
@@ -331,6 +332,26 @@ The `lte` modifier will provide a search where the value of `fieldname` is less
 
 ---
 
+### re
+
+::: code-group
+
+```yaml [/rules/needle_in_end_of_haystack.yaml]
+detection:
+    selection:
+        fieldname|re: .*needle$
+```
+
+```splunk [Splunk Output]
+* | regex fieldname=".*needle$"
+```
+
+:::
+
+The `re` modifier will provide a search where the value of `fieldname` matches the provided regex.
+
+---
+
 ### utf16 / utf16le / utf16be / wide {#wide}
 
 ::: code-group