topic Re: rex help?? in Splunk Search

rex help??

rakesh_498115 — Sun, 16 Dec 2012 15:26:26 GMT

hi..

how can i tell splunk to pick the first occurence of regular expression from a single event.i have written a regular expression ,and in each single event i have two occurences of this rex expression..is it possbile to pick only the first occurence of rex expression??

if so cab you pls give me the syntax of the regular exp.

thnx.

Re: rex help??

Ayn — Sun, 16 Dec 2012 16:00:23 GMT

Have the regex cover the whole event even after your match until the end. That way you will get the section you want to grab from your regex, then the rest is matched as well. Sometehing like

(?<yourfield>matchingexpression).+$

Re: rex help??

DaveSavage — Sun, 16 Dec 2012 16:16:31 GMT

You haven't thought about teaching this stuff have you Ayn?! 😉
Seriously. It seems we cannot live without regex or Rex, but I have yet to see a solid tutorial, or masterclass on the advanced stuff. Maybe I missed something, it happens. gskinner.com is very useful....but..

Re: rex help??

rakesh_498115 — Sun, 16 Dec 2012 19:02:04 GMT

Can you me the extract query ??
my sample event is some thing like this .

12:10:12
......
.
.....
.....

23:20:10
......
......

I have created field like this.

sourcetype="sysdata" | rex field=_raw "logTime>(?[0-9:]*)<" | top LTIME

this is not giving me proper results.

In my sample event i want to extract the first occurence in my field LTIME .

i.e 12:10:12 in this case ..how can i do it ?

Re: rex help??

Ayn — Sun, 16 Dec 2012 20:54:37 GMT

I just told you that in my answer. What is it you don't understand in it?

Re: rex help??

gkanapathy — Sun, 16 Dec 2012 23:40:28 GMT

This is unnecessary, and expensive in the case of a long event (though of course most events aren't). Any regex will normally stop after the first match unless you specifically ask for multiple matches. This is the default behavior of rex as well as automatic extractions.

Actually, rakesh's problem in particular is not a problem of multiple matches. Probably it's just a bad regex. e.g., case-sensitivity, quoting.

I would also say there's probably a more fundamental solution where his events should probably be timestamped with the first logtime, and therefore he could probably use _time

Re: rex help??

rakesh_498115 — Mon, 17 Dec 2012 20:12:29 GMT

my events are not timestamped with the logtime gkanapathy..can you pls help me in picking up the first tag ..in my rex .

Re: rex help??

jpolvino — Fri, 11 May 2018 15:24:21 GMT

Have you used the max_match=1 option for rex?

If the time you're trying to extract is always the first timestamp, then try this:

your_search | rex max_match=1 "(?<timestamp>^\d\d:\d\d:\d\d)"

If you can post a sanitized event, we can help more.

Re: rex help??

niketn — Fri, 11 May 2018 17:09:56 GMT

@jpolvino, default value of max_match argument (if not specified) is 1 (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex). Which means even if there are multiple matches of regular expression in the same event, only the first match will be returned.

This being an old post from 2012, I would expect that it is already resolved by now ;). If not sample of data would definitely help and Regular Expression behavior can be tested on sites like regex101.com.