From e99fa28142115256a84d3f626c678d8e1c4c7ad8 Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Fri, 29 Dec 2023 22:53:52 +0900
Subject: [PATCH 1/2] doc: add re modifier description
---
docs/basics/modifiers.md | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/docs/basics/modifiers.md b/docs/basics/modifiers.md
index 3976ec6..e22215f 100644
--- a/docs/basics/modifiers.md
+++ b/docs/basics/modifiers.md
@@ -41,6 +41,7 @@ Below is a list of available field modifiers.
gte
lt
lte
+ re
startswith
utf16 / utf16le / utf16be / wide
windash
@@ -331,6 +332,26 @@ The `lte` modifier will provide a search where the value of `fieldname` is less
---
+### re
+
+::: code-group
+
+```yaml [/rules/needle_in_end_of_haystack.yaml]
+detection:
+ selection:
+ fieldname|re: .*needle$
+```
+
+```splunk [Splunk Output]
+regex fieldname=".*needle$"
+```
+
+:::
+
+The `re` modifier will provide a search where the value of `fieldname` matches the provided regex.
+
+---
+
### utf16 / utf16le / utf16be / wide {#wide}
::: code-group
From 7a003b0319fed47c0a695e7d40f2b07dd70d3bc5 Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Fri, 29 Dec 2023 23:15:49 +0900
Subject: [PATCH 2/2] doc: add wildcard to splunk query
---
docs/basics/modifiers.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/basics/modifiers.md b/docs/basics/modifiers.md
index e22215f..d9b8bff 100644
--- a/docs/basics/modifiers.md
+++ b/docs/basics/modifiers.md
@@ -343,7 +343,7 @@ detection:
```
```splunk [Splunk Output]
-regex fieldname=".*needle$"
+* | regex fieldname=".*needle$"
```
:::