Re: How to get rex to stop after the first value f... - Page 2

rob_gibson · ‎10-18-2016

Hello,

I am building a table and supplying values from search. One of the values exists multiple times within each event. I want rex to stop after the first value returned. I thought that may be un greedy but I can't seem to nail down the proper syntax.

I'm grateful for any help.

rex field=statement "(?[^\s]+)"

This rex returns two of the same values into my table for each line. (ALERT, ALERT). I want a single line, therefore I require a single result to be extracted.

UPDATE
I don't wish to waste anybody's time further on this - I am convinced the issue is with the 'statement' field. A simple query (no rex, etc) consistently produces two values on two lines when 'statement' is displayed in a table. Splunk returns that there are only two results, but each result has two lines (4 total). Other fields for example 'RecordNumber' produce a single line.

I have no clue why this is happening but it has nothing to do with rex.

**Turns out the problem was a multivalue field as other's suggested. I modified my search string to eliminate the duplicates;

...| nomv statement | rex field=statement "(?<ALERTTYPE>[^\s]+)" ...

adamsaul · ‎10-19-2016

Sorry about that. I left off the named group.

I'm not sure why that is not matching, @sundareshr appears to working. I just added a bit for the beginning of the line.

rob_gibson · ‎10-19-2016

If I go back to my original rex;
rex field=statement "(?[^\s]+)"
I do get a full word 'Alter' but it appears 2x. Looking at the event data, I do not see the word Alter more than once, so perhaps my rex is not the issue?

Scrubbed event data (complete);

10/17/16
    12:20:25.000 PM     
    10/17/2016 12:20:25 PM
    LogName=Application
    SourceName=MSSQL$OTPMSSQL
    EventCode=33205
    EventType=0
    Type=Information
    ComputerName=hostname.domain.com
    TaskCategory=None
    OpCode=None
    RecordNumber=904492
    Keywords=Audit Success, Classic
    Message=Audit event: event_time:2016-10-17 16:20:24.1512330
    sequence_number:1
    action_id:AL  
    succeeded:true
    permission_bitmask:0
    is_column_permission:false
    session_id:136
    server_principal_id:276
    database_principal_id:1
    target_server_principal_id:0
    target_database_principal_id:0
    object_id:8
    class_type:DB
    session_server_principal_name:domain\userID
    server_principal_name:domain\userID
    server_principal_sid:010500000000000515000000093a2a2426761e2f43170a326b1e0000
    database_principal_name:dbo
    target_server_principal_name:
    target_server_principal_sid:
    target_database_principal_name:
    server_instance_name:hostname\SQL
    database_name:DBA
    schema_name:
    object_name:DBA
    statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA_log', FILEGROWTH = 1048576KB )
    additional_information:
    .
    Collapse

        ComputerName = hostname.domain.com
        EventCode = 33205
        host = hostname
        source = WinEventLog:Application
        sourcetype = WinEventLog:Application

adamsaul · ‎10-19-2016

I think it is giving you the match and sub-match or the match array, which is why it appears twice.

Does appending max_match=1 to the end of your 'rex' search help?

rob_gibson · ‎10-19-2016

Sort of. By appending your suggestion I no longer get two lines, but I do not get a value 'Alter' either.

rex field=statement "(?<field1>[^\s]+) max_match=1"

rob_gibson · ‎10-19-2016

Here is the result in the table;

rob_gibson · ‎10-19-2016

Could it be possible that the result in the table is somehow due to the fact there are two identical events for the same server/date/time? Maybe this is not a rex issue at all.

adamsaul · ‎10-19-2016

Almost looks as if the field is a 'multi-value' field.

Try this:

nomv statement | rex field=statement "(?<field1>[^\s]+)

somesoni2 · ‎10-18-2016

Can we have some sample data on which this regex is run?

rob_gibson · ‎10-18-2016

The statement field contains the string I'm trying to extract from;

statement:ALTER DATABASE [DBA] MODIFY FILE ( NAME = N'DBA', FILEGROWTH = 1048576KB )

When I create the table I am consistently getting two values for the first word in the string, ALTER;

|table ComputerName, "ALERTTYPE", Database, TimeStamp, UserID, EventCode

I can't seem to edit my question, but the reg string above is incomplete - my apologies;

rex field=statement "(?[^\s]+)"

rob_gibson · ‎10-18-2016

Ok, seems that my rex field string above is being clipped by the forum for some reason. I define the ALERTTYPE field in the string.

skoelpin · ‎10-18-2016

As @somesoni2 said.. We cant help until we get some sample data

How to get rex to stop after the first value found?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...