Solved: How do I make a field extraction that selects only...

whrg · ‎12-04-2018

Hello,
I have events that span multiple lines. One such event looks as follows:

...
# User details
ID: 123
Username: admin
Group: admin
Group: bin
...

Each event has at least one Group line.

I want to create a field extraction for the first occurence of Group.

So, for the example above the extracted field should have the value admin.

How do I create such a field extraction?

skoelpin · ‎12-04-2018

Try this

| rex Group:\s(?<group>\w+)\n+

View solution in original post

skoelpin · ‎12-04-2018

Try this

| rex Group:\s(?<group>\w+)\n+

View solution in original post

whrg · ‎12-04-2018

Thank you for your answer!
When I test your regex then I see there are two match objects:
https://regex101.com/r/lQXqFx/1
How will Splunk behave in this case?

skoelpin · ‎12-05-2018

It's working off that \n+ added at the end, saying grab only the first match. If this answered your question, please accept it and close it out

dkeck · ‎12-05-2018

try this in splunk with the rex command its working

whrg · ‎12-05-2018

It is working.
However, I cannot find any documentation as to Splunk handles multiple match objects.

dkeck · ‎12-05-2018

by default its matching ungreedy, and if you want it to be global you can add flaggs.

I am not sure if there is any doc on that.

How do I make a field extraction that selects only the first occurrence?