Getting first match field in a event

apand84 · ‎11-28-2017

In a service log different API being invoked each API start with ~( like ~getenrolled, ~enroll, ~submit) so is there any way to extract first API being called by rex

i tried (~\w+){1} but it matching with all called API .

woodcock · ‎11-28-2017

Like this:

... | rex "~(?<FirstAPIName>\w+)"

apand84 · ‎11-28-2017

Unfortunately it will match all called api (started with ~+API name )
I wanted to extract first matched api which is the main api call subsequent are sub api in service log .

woodcock · ‎11-28-2017

Then this:

 ... | rex max_match=1 "~(?<FirstAPIName>\w+)"

niketn · ‎11-28-2017

Based on the sample data provided please try the following rex command with max_match=1 (which is by default):

|  makeresults
|  eval _raw="~getenrolled, ~enroll, ~submit, ~somethingelse, ~somethingnew"
|  rex  "~(?<FirstAPIName>[^,]+)," max_match=1

Alternatively, you can also use caret sign ( ^ ) if you want to extract required API Name only from beginning of raw data (depends on the data, if this does not work please provide sample raw data)

|  makeresults
|  eval _raw="~getenrolled, ~enroll, ~submit, ~somethingelse, ~somethingnew"
|  rex  "^~(?<FirstAPIName>[^,]+),"

PS: First two pipes with makeresults and eval are used to generate mock data for testing regular expression.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Getting first match field in a event

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk