Documentation
How to use this tool, practical use cases, and technical notes.
The Regex Tester is designed for speed — you can load a pattern, test it against a string, and copy matches in under 60 seconds. Here is a complete walkthrough of every feature.
Step 1 — Select a Built-In Security Pattern (or Write Your Own)
When the tool loads, it defaults to the IPv4 Address pattern with a sample test string pre-populated. To switch patterns, click any of the five pattern buttons:
Button | Loads Pattern For | Default Test String |
|---|---|---|
IPv4 address | Dotted-decimal IPv4 |
|
Email address | RFC email format | Sample string with email addresses |
HTTP(S) URL | Full HTTP/HTTPS URLs | Sample string with URLs |
CVE identifier | CVE-YEAR-NNNN format | Sample string with CVE IDs |
JWT token | Base64url JWT format | Sample string with a JWT |
To write a custom regex, click into the Regular expression field and type or paste your pattern directly. The tool evaluates it live — no submit button required.
Step 2 — Configure Regex Flags
Flags modify how your regex engine interprets the pattern. The tool exposes all five standard JavaScript regex flags:
Flag | Symbol | What It Does | When to Use in Security Contexts |
|---|---|---|---|
global |
| Find all matches, not just the first | Always on for log parsing — you need every IP/CVE/URL in a line |
ignore case |
| Case-insensitive matching | Matching HTTP methods ( |
multiline |
|
| Parsing multi-line log blocks; matching per-line in a log file |
dotall |
|
| Matching patterns that span multiple lines (multi-line HTTP requests) |
unicode |
| Full Unicode matching | Parsing logs containing non-ASCII characters; internationalized email addresses |
Recommended flag combinations for common security tasks:
Task | Recommended Flags |
|---|---|
Extract all IPs from a log file |
|
Parse URLs case-insensitively |
|
Match CVEs across multi-line SIEM output |
|
Detect JWTs in multi-line HTTP request dumps |
|
Validate internationalized email addresses |
|
Step 3 — Enter Your Test String
Paste the text you want to match against into the Test string field. This can be:
A single log line:
Failed login from 203.0.113.45 at 10.0.0.1Multiple log lines (use multiline flag
m)A raw HTTP request or response
A SIEM alert payload
A block of application output
A threat intelligence report excerpt
The tool evaluates your regex against the test string in real time as you type — no need to click a button.
Step 4 — Read the Highlighted Matches Output
The Highlighted matches section renders your test string with all matched substrings wrapped in highlight markup (shown as ==match== in the interface). This makes it immediately obvious:
What matched — highlighted in the output
What did NOT match — plain text in the output
Over-matching — if too many things are highlighted, your pattern is too broad
Under-matching — if expected matches are not highlighted, refine your pattern
The match count is displayed below the pattern description (e.g., 2 matches found).
Step 5 — Copy Pattern or Matches
Two copy buttons are available:
Button | What It Copies | Where to Use It |
|---|---|---|
Copy pattern | The full regex with flags in | Paste directly into Splunk SPL, Sigma rules, Python |
Copy matches | The list of matched strings (one per line) | Paste into an IoC list, investigation notes, or ticket |
The /pattern/flags format copied by Copy pattern is universally recognized:
/\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\b/gThis format works directly in JavaScript, and the pattern portion is immediately usable in Python's re module, Elastic Query DSL, and most SIEM rule syntaxes.
Step 6 — Iterate and Refine
Regex development for security use cases is iterative. A productive workflow looks like this:
1. Start with built-in pattern → understand baseline behaviorPaste real log data from your environment → observe matchesIdentify false positives (things that matched but shouldn't)Identify false negatives (things that should have matched but didn't)Refine the pattern → re-test until precision is acceptableTest performance against a large/complex string before deployingCopy the final pattern → deploy to SIEM/WAF/code
Common Regex Mistakes in Security Contexts
Mistake | Example | Problem | Fix |
|---|---|---|---|
No word boundary |
| Matches partial strings inside longer numbers | Add |
Invalid octet ranges |
| Matches 999.999.999.999 | Use the validated octet pattern |
Missing global flag |
| Only returns first match in a log file | Add |
Greedy quantifiers on large input |
| Catastrophic backtracking on long strings | Use lazy |
No case normalization | Case-sensitive URL matching | Misses | Add |
Anchoring to string instead of line |
| Pattern only matches start of entire input | Add |
The Regex Tester is designed for speed — you can load a pattern, test it against a string, and copy matches in under 60 seconds. Here is a complete walkthrough of every feature.
Step 1 — Select a Built-In Security Pattern (or Write Your Own)
When the tool loads, it defaults to the IPv4 Address pattern with a sample test string pre-populated. To switch patterns, click any of the five pattern buttons:
Button | Loads Pattern For | Default Test String |
|---|---|---|
IPv4 address | Dotted-decimal IPv4 |
|
Email address | RFC email format | Sample string with email addresses |
HTTP(S) URL | Full HTTP/HTTPS URLs | Sample string with URLs |
CVE identifier | CVE-YEAR-NNNN format | Sample string with CVE IDs |
JWT token | Base64url JWT format | Sample string with a JWT |
To write a custom regex, click into the Regular expression field and type or paste your pattern directly. The tool evaluates it live — no submit button required.
Step 2 — Configure Regex Flags
Flags modify how your regex engine interprets the pattern. The tool exposes all five standard JavaScript regex flags:
Flag | Symbol | What It Does | When to Use in Security Contexts |
|---|---|---|---|
global |
| Find all matches, not just the first | Always on for log parsing — you need every IP/CVE/URL in a line |
ignore case |
| Case-insensitive matching | Matching HTTP methods ( |
multiline |
|
| Parsing multi-line log blocks; matching per-line in a log file |
dotall |
|
| Matching patterns that span multiple lines (multi-line HTTP requests) |
unicode |
| Full Unicode matching | Parsing logs containing non-ASCII characters; internationalized email addresses |
Recommended flag combinations for common security tasks:
Task | Recommended Flags |
|---|---|
Extract all IPs from a log file |
|
Parse URLs case-insensitively |
|
Match CVEs across multi-line SIEM output |
|
Detect JWTs in multi-line HTTP request dumps |
|
Validate internationalized email addresses |
|
Step 3 — Enter Your Test String
Paste the text you want to match against into the Test string field. This can be:
A single log line:
Failed login from 203.0.113.45 at 10.0.0.1Multiple log lines (use multiline flag
m)A raw HTTP request or response
A SIEM alert payload
A block of application output
A threat intelligence report excerpt
The tool evaluates your regex against the test string in real time as you type — no need to click a button.
Step 4 — Read the Highlighted Matches Output
The Highlighted matches section renders your test string with all matched substrings wrapped in highlight markup (shown as ==match== in the interface). This makes it immediately obvious:
What matched — highlighted in the output
What did NOT match — plain text in the output
Over-matching — if too many things are highlighted, your pattern is too broad
Under-matching — if expected matches are not highlighted, refine your pattern
The match count is displayed below the pattern description (e.g., 2 matches found).
Step 5 — Copy Pattern or Matches
Two copy buttons are available:
Button | What It Copies | Where to Use It |
|---|---|---|
Copy pattern | The full regex with flags in | Paste directly into Splunk SPL, Sigma rules, Python |
Copy matches | The list of matched strings (one per line) | Paste into an IoC list, investigation notes, or ticket |
The /pattern/flags format copied by Copy pattern is universally recognized:
/\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\b/gThis format works directly in JavaScript, and the pattern portion is immediately usable in Python's re module, Elastic Query DSL, and most SIEM rule syntaxes.
Step 6 — Iterate and Refine
Regex development for security use cases is iterative. A productive workflow looks like this:
1. Start with built-in pattern → understand baseline behaviorPaste real log data from your environment → observe matchesIdentify false positives (things that matched but shouldn't)Identify false negatives (things that should have matched but didn't)Refine the pattern → re-test until precision is acceptableTest performance against a large/complex string before deployingCopy the final pattern → deploy to SIEM/WAF/code
Common Regex Mistakes in Security Contexts
Mistake | Example | Problem | Fix |
|---|---|---|---|
No word boundary |
| Matches partial strings inside longer numbers | Add |
Invalid octet ranges |
| Matches 999.999.999.999 | Use the validated octet pattern |
Missing global flag |
| Only returns first match in a log file | Add |
Greedy quantifiers on large input |
| Catastrophic backtracking on long strings | Use lazy |
No case normalization | Case-sensitive URL matching | Misses | Add |
Anchoring to string instead of line |
| Pattern only matches start of entire input | Add |