https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305888#M164746 <P>Based on the sample data provided please try the following <CODE>rex</CODE> command with max_match=1 (which is by default):</P> <PRE><CODE>| makeresults | eval _raw="~getenrolled, ~enroll, ~submit, ~somethingelse, ~somethingnew" | rex "~(?&lt;FirstAPIName&gt;[^,]+)," max_match=1 </CODE></PRE> <P>Alternatively, you can also use <CODE>caret sign ( ^ )</CODE> if you want to extract required API Name only from beginning of raw data (depends on the data, if this does not work please provide sample raw data)</P> <PRE><CODE>| makeresults | eval _raw="~getenrolled, ~enroll, ~submit, ~somethingelse, ~somethingnew" | rex "^~(?&lt;FirstAPIName&gt;[^,]+)," </CODE></PRE> <P>PS: First two pipes with <CODE>makeresults</CODE> and <CODE>eval</CODE> are used to generate mock data for testing regular expression.</P> Tue, 28 Nov 2017 13:33:43 GMT niketn 2017-11-28T13:33:43Z https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305887#M164745 <P>In a service log different API being invoked each API start with ~( like ~getenrolled, ~enroll, ~submit) so is there any way to extract first API being called by rex </P> <P>i tried (~\w+){1} but it matching with all called API .</P> Tue, 28 Nov 2017 12:03:27 GMT https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305887#M164745 apand84 2017-11-28T12:03:27Z https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305888#M164746 <P>Based on the sample data provided please try the following <CODE>rex</CODE> command with max_match=1 (which is by default):</P> <PRE><CODE>| makeresults | eval _raw="~getenrolled, ~enroll, ~submit, ~somethingelse, ~somethingnew" | rex "~(?&lt;FirstAPIName&gt;[^,]+)," max_match=1 </CODE></PRE> <P>Alternatively, you can also use <CODE>caret sign ( ^ )</CODE> if you want to extract required API Name only from beginning of raw data (depends on the data, if this does not work please provide sample raw data)</P> <PRE><CODE>| makeresults | eval _raw="~getenrolled, ~enroll, ~submit, ~somethingelse, ~somethingnew" | rex "^~(?&lt;FirstAPIName&gt;[^,]+)," </CODE></PRE> <P>PS: First two pipes with <CODE>makeresults</CODE> and <CODE>eval</CODE> are used to generate mock data for testing regular expression.</P> Tue, 28 Nov 2017 13:33:43 GMT https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305888#M164746 niketn 2017-11-28T13:33:43Z https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305889#M164747 <P>Like this:</P> <PRE><CODE>... | rex "~(?&lt;FirstAPIName&gt;\w+)" </CODE></PRE> Tue, 28 Nov 2017 14:17:25 GMT https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305889#M164747 woodcock 2017-11-28T14:17:25Z https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305890#M164748 <P>Unfortunately it will match all called api (started with ~+API name )<BR /> I wanted to extract first matched api which is the main api call subsequent are sub api in service log .</P> Tue, 28 Nov 2017 17:07:42 GMT https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305890#M164748 apand84 2017-11-28T17:07:42Z https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305891#M164749 <P>Then this:</P> <PRE><CODE> ... | rex max_match=1 "~(?&lt;FirstAPIName&gt;\w+)" </CODE></PRE> Tue, 28 Nov 2017 18:40:10 GMT https://community.splunk.com/t5/Splunk-Search/Getting-first-match-field-in-a-event/m-p/305891#M164749 woodcock 2017-11-28T18:40:10Z