https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422575#M121349 <P>Thank you for your answer!<BR /> When I test your regex then I see there are two match objects:<BR /> <A href="https://regex101.com/r/lQXqFx/1">https://regex101.com/r/lQXqFx/1</A><BR /> How will Splunk behave in this case?</P> Wed, 05 Dec 2018 07:41:30 GMT whrg 2018-12-05T07:41:30Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422573#M121347 <P>Hello,<BR /> I have events that span multiple lines. One such event looks as follows:</P> <PRE><CODE>... # User details ID: 123 Username: admin Group: admin Group: bin ... </CODE></PRE> <P>Each event has at least one <EM>Group</EM> line.</P> <P>I want to create a field extraction for the first occurence of Group.</P> <P>So, for the example above the extracted field should have the value <STRONG>admin</STRONG>.</P> <P>How do I create such a field extraction?</P> Tue, 04 Dec 2018 13:32:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422573#M121347 whrg 2018-12-04T13:32:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422574#M121348 <P>Try this </P> <PRE><CODE>| rex Group:\s(?&lt;group&gt;\w+)\n+ </CODE></PRE> Tue, 04 Dec 2018 14:48:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422574#M121348 skoelpin 2018-12-04T14:48:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422575#M121349 <P>Thank you for your answer!<BR /> When I test your regex then I see there are two match objects:<BR /> <A href="https://regex101.com/r/lQXqFx/1">https://regex101.com/r/lQXqFx/1</A><BR /> How will Splunk behave in this case?</P> Wed, 05 Dec 2018 07:41:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422575#M121349 whrg 2018-12-05T07:41:30Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422576#M121350 <P>try this in splunk with the rex command its working</P> Wed, 05 Dec 2018 09:32:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422576#M121350 dkeck 2018-12-05T09:32:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422577#M121351 <P>It is working.<BR /> However, I cannot find any documentation as to Splunk handles multiple match objects.</P> Wed, 05 Dec 2018 11:42:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422577#M121351 whrg 2018-12-05T11:42:00Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422578#M121352 <P>by default its matching ungreedy, and if you want it to be global you can add flaggs.</P> <P>I am not sure if there is any doc on that.</P> Wed, 05 Dec 2018 12:08:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422578#M121352 dkeck 2018-12-05T12:08:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422579#M121353 <P>It's working off that <CODE>\n+</CODE> added at the end, saying grab only the first match. If this answered your question, please accept it and close it out</P> Wed, 05 Dec 2018 14:51:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-field-extraction-that-selects-only-the-first/m-p/422579#M121353 skoelpin 2018-12-05T14:51:19Z