Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get rex to stop after the first value found?

rob_gibson
Path Finder
‎10-18-2016 01:17 PM

Hello,

I am building a table and supplying values from search. One of the values exists multiple times within each event. I want rex to stop after the first value returned. I thought that may be un greedy but I can't seem to nail down the proper syntax.

I'm grateful for any help.

rex field=statement "(?[^\s]+)"

This rex returns two of the same values into my table for each line. (ALERT, ALERT). I want a single line, therefore I require a single result to be extracted.

UPDATE
I don't wish to waste anybody's time further on this - I am convinced the issue is with the 'statement' field. A simple query (no rex, etc) consistently produces two values on two lines when 'statement' is displayed in a table. Splunk returns that there are only two results, but each result has two lines (4 total). Other fields for example 'RecordNumber' produce a single line.

I have no clue why this is happening but it has nothing to do with rex.

**Turns out the problem was a multivalue field as other's suggested. I modified my search string to eliminate the duplicates;

...| nomv statement | rex field=statement "(?<ALERTTYPE>[^\s]+)" ...
Tags (3)
0 Karma
Reply

adamsaul
Communicator
‎10-19-2016 10:49 AM

Sorry about that. I left off the named group.

I'm not sure why that is not matching, @sundareshr appears to working. I just added a bit for the beginning of the line.

0 Karma
Reply

rob_gibson
Path Finder
‎10-19-2016 10:55 AM

If I go back to my original rex;
rex field=statement "(?[^\s]+)"
I do get a full word 'Alter' but it appears 2x. Looking at the event data, I do not see the word Alter more than once, so perhaps my rex is not the issue?

Scrubbed event data (complete);

10/17/16
    12:20:25.000 PM     
    10/17/2016 12:20:25 PM
    LogName=Application
    SourceName=MSSQL$OTPMSSQL
    EventCode=33205
    EventType=0
    Type=Information
    ComputerName=hostname.domain.com
    TaskCategory=None
    OpCode=None
    RecordNumber=904492
    Keywords=Audit Success, Classic
    Message=Audit event: event_time:2016-10-17 16:20:24.1512330
    sequence_number:1
    action_id:AL  
    succeeded:true
    permission_bitmask:0
    is_column_permission:false
    session_id:136
    server_principal_id:276
    database_principal_id:1
    target_server_principal_id:0
    target_database_principal_id:0
    object_id:8
    class_type:DB
    session_server_principal_name:domain\userID
    server_principal_name:domain\userID
    server_principal_sid:010500000000000515000000093a2a2426761e2f43170a326b1e0000
    database_principal_name:dbo
    target_server_principal_name:
    target_server_principal_sid:
    target_database_principal_name:
    server_instance_name:hostname\SQL
    database_name:DBA
    schema_name:
    object_name:DBA
    statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA_log', FILEGROWTH = 1048576KB )
    additional_information:
    .
    Collapse

        ComputerName = hostname.domain.com
        EventCode = 33205
        host = hostname
        source = WinEventLog:Application
        sourcetype = WinEventLog:Application
0 Karma
Reply

adamsaul
Communicator
‎10-19-2016 11:06 AM

I think it is giving you the match and sub-match or the match array, which is why it appears twice.

Does appending max_match=1 to the end of your 'rex' search help?

0 Karma
Reply

rob_gibson
Path Finder
‎10-19-2016 11:18 AM

Sort of. By appending your suggestion I no longer get two lines, but I do not get a value 'Alter' either.

rex field=statement "(?<field1>[^\s]+) max_match=1"
0 Karma
Reply

rob_gibson
Path Finder
‎10-19-2016 11:22 AM

Here is the result in the table;
alt text

0 Karma
Reply

rob_gibson
Path Finder
‎10-19-2016 11:49 AM

Could it be possible that the result in the table is somehow due to the fact there are two identical events for the same server/date/time? Maybe this is not a rex issue at all.

0 Karma
Reply

adamsaul
Communicator
‎10-19-2016 11:41 AM

Almost looks as if the field is a 'multi-value' field.

Try this:

nomv statement | rex field=statement "(?<field1>[^\s]+)
0 Karma
Reply

somesoni2
Revered Legend
‎10-18-2016 01:31 PM

Can we have some sample data on which this regex is run?

0 Karma
Reply

rob_gibson
Path Finder
‎10-18-2016 01:47 PM

The statement field contains the string I'm trying to extract from;

statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA', FILEGROWTH = 1048576KB )

When I create the table I am consistently getting two values for the first word in the string, ALTER;

|table ComputerName, "ALERTTYPE", Database, TimeStamp, UserID, EventCode

I can't seem to edit my question, but the reg string above is incomplete - my apologies;

rex field=statement "(?[^\s]+)"

0 Karma
Reply

rob_gibson
Path Finder
‎10-18-2016 01:48 PM

Ok, seems that my rex field string above is being clipped by the forum for some reason. I define the ALERTTYPE field in the string.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-18-2016 01:34 PM

As @somesoni2 said.. We cant help until we get some sample data

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...