topic Re: How to get rex to stop after the first value found? in Splunk Search

How to get rex to stop after the first value found?

rob_gibson — Tue, 18 Oct 2016 20:17:57 GMT

Hello,

I am building a table and supplying values from search. One of the values exists multiple times within each event. I want rex to stop after the first value returned. I thought that may be un greedy but I can't seem to nail down the proper syntax.

I'm grateful for any help.

rex field=statement "(?[^\s]+)"

This rex returns two of the same values into my table for each line. (ALERT, ALERT). I want a single line, therefore I require a single result to be extracted.

UPDATE
I don't wish to waste anybody's time further on this - I am convinced the issue is with the 'statement' field. A simple query (no rex, etc) consistently produces two values on two lines when 'statement' is displayed in a table. Splunk returns that there are only two results, but each result has two lines (4 total). Other fields for example 'RecordNumber' produce a single line.

I have no clue why this is happening but it has nothing to do with rex.

**Turns out the problem was a multivalue field as other's suggested. I modified my search string to eliminate the duplicates;

...| nomv statement | rex field=statement "(?<ALERTTYPE>[^\s]+)" ...

Re: How to get rex to stop after the first value found?

somesoni2 — Tue, 18 Oct 2016 20:31:36 GMT

Can we have some sample data on which this regex is run?

Re: How to get rex to stop after the first value found?

skoelpin — Tue, 18 Oct 2016 20:34:12 GMT

As @somesoni2 said.. We cant help until we get some sample data

Re: How to get rex to stop after the first value found?

rob_gibson — Tue, 18 Oct 2016 20:47:03 GMT

The statement field contains the string I'm trying to extract from;

statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA', FILEGROWTH = 1048576KB )

When I create the table I am consistently getting two values for the first word in the string, ALTER;

|table ComputerName, "ALERTTYPE", Database, TimeStamp, UserID, EventCode

I can't seem to edit my question, but the reg string above is incomplete - my apologies;

rex field=statement "(?[^\s]+)"

Re: How to get rex to stop after the first value found?

rob_gibson — Tue, 18 Oct 2016 20:48:51 GMT

Ok, seems that my rex field string above is being clipped by the forum for some reason. I define the ALERTTYPE field in the string.

Re: How to get rex to stop after the first value found?

adamsaul — Tue, 18 Oct 2016 21:11:59 GMT

How about using a quantifier? This will restrict it to the first match

 rex field=statement "(?[^\s]{1})"

Your use of the "+" (plus sign) indicates to 'regex', one or more matches

Re: How to get rex to stop after the first value found?

sundareshr — Tue, 18 Oct 2016 21:19:19 GMT

If you only extracting the first word, try this

... | rex field=statement "(?<ALERTTYPE>\w+)" max_match=1

Here's a runanywhere sample

| makeresults | eval statement="ALTER ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA', FILEGROWTH = 1048576KB )" | rex field=statement "(?<ALERTTYPE>\w+)" max_match=1 | table statement ALERTTYPE

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 15:07:07 GMT

Ok, these did not produce any value for the AlertType field.

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 15:09:33 GMT

This still returns two values, but only the letter 'A', not the entire word 'Alert'.

I'm starting to wonder if the issue is unrelated to the rex statement (ie; maybe the word 'ALERT' only appears once for each event and the return value is being duplicated for another reason.)

Re: How to get rex to stop after the first value found?

adamsaul — Wed, 19 Oct 2016 15:18:18 GMT

Can you provide some sample data and the data you want extracted?

Be sure to use the code sample format when you post

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 17:00:05 GMT

data sample above (yesterday) in response to skoelpin. I'll try to post it in the question body.

Re: How to get rex to stop after the first value found?

adamsaul — Wed, 19 Oct 2016 17:34:11 GMT

rex field=statement "(^\w+)"

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 17:46:08 GMT

I think I needed to change this slightly as Splunk returned "Error in 'rex' command: The regex '(^\w+)' does not extract anything. It should specify at least one named group. Format: (?...). "

So I changed to;

rex field=statement "(?<ALERTTYPE>[^\w+])"

And that produced zero results for statement

Re: How to get rex to stop after the first value found?

adamsaul — Wed, 19 Oct 2016 17:49:44 GMT

Sorry about that. I left off the named group.

I'm not sure why that is not matching, @sundareshr appears to working. I just added a bit for the beginning of the line.

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 17:55:18 GMT

If I go back to my original rex;
rex field=statement "(?[^\s]+)"
I do get a full word 'Alter' but it appears 2x. Looking at the event data, I do not see the word Alter more than once, so perhaps my rex is not the issue?

Scrubbed event data (complete);

10/17/16
    12:20:25.000 PM     
    10/17/2016 12:20:25 PM
    LogName=Application
    SourceName=MSSQL$OTPMSSQL
    EventCode=33205
    EventType=0
    Type=Information
    ComputerName=hostname.domain.com
    TaskCategory=None
    OpCode=None
    RecordNumber=904492
    Keywords=Audit Success, Classic
    Message=Audit event: event_time:2016-10-17 16:20:24.1512330
    sequence_number:1
    action_id:AL  
    succeeded:true
    permission_bitmask:0
    is_column_permission:false
    session_id:136
    server_principal_id:276
    database_principal_id:1
    target_server_principal_id:0
    target_database_principal_id:0
    object_id:8
    class_type:DB
    session_server_principal_name:domain\userID
    server_principal_name:domain\userID
    server_principal_sid:010500000000000515000000093a2a2426761e2f43170a326b1e0000
    database_principal_name:dbo
    target_server_principal_name:
    target_server_principal_sid:
    target_database_principal_name:
    server_instance_name:hostname\SQL
    database_name:DBA
    schema_name:
    object_name:DBA
    statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA_log', FILEGROWTH = 1048576KB )
    additional_information:
    .
    Collapse

        ComputerName = hostname.domain.com
        EventCode = 33205
        host = hostname
        source = WinEventLog:Application
        sourcetype = WinEventLog:Application

Re: How to get rex to stop after the first value found?

adamsaul — Wed, 19 Oct 2016 18:06:04 GMT

I think it is giving you the match and sub-match or the match array, which is why it appears twice.

Does appending max_match=1 to the end of your 'rex' search help?

Re: How to get rex to stop after the first value found?

lakromani — Wed, 19 Oct 2016 18:12:20 GMT

If you like to get the first word of a string inn to a variable, this should do:

ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA', FILEGROWTH = 1048576KB )
your search | rex "^(?<AlertType>\S+)"

Gives

AlertType=ALTER

The ^ in the regex tells to get text from the line until the first space.

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 18:18:43 GMT

Sort of. By appending your suggestion I no longer get two lines, but I do not get a value 'Alter' either.

rex field=statement "(?<field1>[^\s]+) max_match=1"

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 18:22:44 GMT

Here is the result in the table;

Re: How to get rex to stop after the first value found?

rob_gibson — Wed, 19 Oct 2016 18:34:53 GMT

I had to change that a bit, as the value is extracted from the 'statement' field;

rex field=statement "^(?<field1>\S+)"

But the result is still two lines,