https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266767#M80217 <P>This should do it:</P> <PRE><CODE>rex "somestring :(?P&lt;type&gt;[^\n]+)" </CODE></PRE> Wed, 07 Dec 2016 03:11:59 GMT mrgibbon 2016-12-07T03:11:59Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266766#M80216 <P>I have a log file like this:</P> <PRE><CODE>Type: something/something; something The next line </CODE></PRE> <P>I want to write a Splunk search to grab the first line and create a pie chart of the various different types. The problem is the query I wrote is taking in <CODE>The next line</CODE> bit too which I don't want. Here's my query:</P> <PRE><CODE>("Type: " OR "type: ") | rex field=_raw "(?&lt;type&gt;.*)\n" | stats count by type </CODE></PRE> <P>How do I write a search that takes everything after the <CODE>:</CODE> but stops at the newline <CODE>\n</CODE>?</P> Wed, 07 Dec 2016 03:09:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266766#M80216 sankarms 2016-12-07T03:09:13Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266767#M80217 <P>This should do it:</P> <PRE><CODE>rex "somestring :(?P&lt;type&gt;[^\n]+)" </CODE></PRE> Wed, 07 Dec 2016 03:11:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266767#M80217 mrgibbon 2016-12-07T03:11:59Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266768#M80218 <P>Try this please:</P> <PRE><CODE>your query to return events | rex "Type:\s*(?&lt;myType&gt;[^\n\r]+)" | stats count by myType </CODE></PRE> <P>Use visualization as Pie Chart</P> <P><A href="https://regex101.com/r/jnn3ws/1">See extraction here</A></P> Wed, 07 Dec 2016 03:20:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266768#M80218 gokadroid 2016-12-07T03:20:57Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266769#M80219 <P>So would my search be:</P> <P>("Type: " OR "type: ") | rex field=_raw "(?P[^\n]+)" | stats count by type</P> Wed, 07 Dec 2016 03:33:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266769#M80219 sankarms 2016-12-07T03:33:58Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266770#M80220 <P>As per regular expression standards, dot matches any single character except newline character provided regex is run with <STRONG>multiline (?m)</STRONG> regex flag. Following should work for you. You also need to specify match pattern to identify beginning of regular expression extraction i.e. <STRONG>Type:</STRONG></P> <PRE><CODE>| rex field=_raw "(?m)Type:\s(?&lt;type&gt;.*)" </CODE></PRE> <P>PS: By default the regex flag is single line(?s), then dot matches newline character as well, hence you are seeing all the text selected, event from the second line.</P> <P>Also once you have tested the rex command, make sure you move this from your search query to Knowledge object as a Field Extraction, for easy maintenance.</P> Wed, 07 Dec 2016 07:32:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-grab-the-first-line-in-a/m-p/266770#M80220 niketn 2016-12-07T07:32:25Z