https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678025#M231876 <P><SPAN>I'm not sure why rex is properly matching the beginning of the value I am looking for (NameofTeam), but it also matches and includes everything after it. As I understand it, my search should stop matching when it reaches&nbsp;"}, after matching the team name. What am I doing wrong?</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?&lt;Team&gt;.+)\"},"</LI-CODE><P>&nbsp;</P><P><SPAN>Sample Data:<BR /></SPAN></P><LI-CODE lang="markup">{"Key": "OtherKey", "ValueString": "OtherValue"}, {"Key": "Owner", "ValueString": "NameofTeam"}, {"Key": "OtherKey", "ValueString": "OtherValue"},</LI-CODE><P><SPAN>Expected Output:<BR /></SPAN></P><LI-CODE lang="markup">NameofTeam</LI-CODE><P><SPAN>Actual Output:<BR /></SPAN></P><LI-CODE lang="markup">NameofTeam"}, {"Key": "OtherKey", "ValueString": "OtherValue"},</LI-CODE><P><SPAN>&nbsp;</SPAN></P> Thu, 22 Feb 2024 07:44:50 GMT ea-2023 2024-02-22T07:44:50Z https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678025#M231876 <P><SPAN>I'm not sure why rex is properly matching the beginning of the value I am looking for (NameofTeam), but it also matches and includes everything after it. As I understand it, my search should stop matching when it reaches&nbsp;"}, after matching the team name. What am I doing wrong?</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?&lt;Team&gt;.+)\"},"</LI-CODE><P>&nbsp;</P><P><SPAN>Sample Data:<BR /></SPAN></P><LI-CODE lang="markup">{"Key": "OtherKey", "ValueString": "OtherValue"}, {"Key": "Owner", "ValueString": "NameofTeam"}, {"Key": "OtherKey", "ValueString": "OtherValue"},</LI-CODE><P><SPAN>Expected Output:<BR /></SPAN></P><LI-CODE lang="markup">NameofTeam</LI-CODE><P><SPAN>Actual Output:<BR /></SPAN></P><LI-CODE lang="markup">NameofTeam"}, {"Key": "OtherKey", "ValueString": "OtherValue"},</LI-CODE><P><SPAN>&nbsp;</SPAN></P> Thu, 22 Feb 2024 07:44:50 GMT https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678025#M231876 ea-2023 2024-02-22T07:44:50Z https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678034#M231877 <P>The <FONT face="courier new,courier">+</FONT> quantifier is greedy, meaning it will match as many characters as possible.&nbsp; So you'll get everything from NameofTeam until the end of the data.&nbsp; To avoid that, use the non-greedy quantifier <FONT face="courier new,courier">+?</FONT>, even better, change the pattern to match until the next quotation mark.</P><LI-CODE lang="markup">index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?&lt;Team&gt;.+?)\"},"</LI-CODE><LI-CODE lang="markup">index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?&lt;Team&gt;[^"]+)\"},"</LI-CODE><P>&nbsp;</P> Tue, 20 Feb 2024 01:42:42 GMT https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678034#M231877 richgalloway 2024-02-20T01:42:42Z https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678116#M231907 <P>The first one did end up working for me. The second one for whatever reason was throwing&nbsp;<EM>Error in 'SearchParser': Mismatched ']'.</EM>&nbsp;Not a big deal for me since the first one works, but figured I'd mention it.</P><LI-CODE lang="markup">| rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?&lt;Owner&gt;[^"])\"},"</LI-CODE><P><BR />The second one is what I thought I was doing... capturing everything until it saw <EM>"},&nbsp; &nbsp;</EM><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Thank you for helping me with this!</P> Tue, 20 Feb 2024 18:33:08 GMT https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678116#M231907 ea-2023 2024-02-20T18:33:08Z https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678187#M231938 <P>The second <FONT face="courier new,courier">rex</FONT> command probably needs additional escaping, but since the first works for you we'll leave it at that.</P> Wed, 21 Feb 2024 13:24:53 GMT https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678187#M231938 richgalloway 2024-02-21T13:24:53Z https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678208#M231942 <P>You can try this regex also :&nbsp;</P><P>"Key":\s*"Owner",\s*"ValueString":\s*"(?&lt;Team_Name&gt;[^"]*)"</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Regex" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29424iB83329E6B701346B/image-size/large?v=v2&amp;px=999" role="button" title="regex.png" alt="Regex" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Regex</span></span></P> Wed, 21 Feb 2024 15:42:28 GMT https://community.splunk.com/t5/Splunk-Search/Rex-not-stopping-capture-after-match/m-p/678208#M231942 kiran_panchavat 2024-02-21T15:42:28Z