Splunk Search

Pick up the first occurrence of a word

New Member

I want to pick only the first occurrence of word .

index = index1 ERROR

Event Result

message test error

But I am only interested the word Error, I thought i could with case insenstive search but it is not correct options or != operators this is may too dangerous might lose some other events

0 Karma

Path Finder

Try this

index=index1 | rex field=requestURl \w+\/test(?<error>Error) | fields error
0 Karma

Revered Legend

If the location of word ERROR (I'm assuming it's the one that appears after the timestamp) is the filter criteria, try like this

index=index1 ERROR | regex _raw="^\S+\s+ERROR.+"

New Member

it works Thanks, but i'm interested only the first occurrence for the word error but not the rest

Log Sample

Line 1 --> 2017-04-29T18:29:27.246+0000
Line 2 -- >message test error
Line 3 --> testError
Line 4 -->requestURl="home/testError"

Only want Line 2 Error which is the first appears of "ERROR"

I used this command and it work but still i can see it select all error of the same event

index = index1 "ERROR"
| regex _raw="\bError\b"

0 Karma

Revered Legend

So do you've multiline events (field linecount>1)? If yes, then is there any rule that 'only select the events which has error word in line 2' or something similar? What should happen if instead of line 2 line 3 has word error?

0 Karma

New Member

As soon as i see the error i want to stop, it doensn't matter it is in line 1,2 03, etc. it can any where the event.

0 Karma

Revered Legend

What you want to do after you picked that first Error word? You want to extract any field value around it?

0 Karma

New Member

I dont want to extract to any field, but im interested the whole _raw data

0 Karma


I think you've got what he means.

0 Karma


updated 8:00 PM CDT (Central US Daylight Savings TIme)

This should select the first line that has the word "error" in any case, anywhere in the line in it.

index = index1 "ERROR"
| rex field=_raw "(?im)^(?<theline>.*error.*)$"
| table _time theline
0 Karma

New Member


it didnt work , getting error
Error in 'SearchOperator:regex': Usage: regex (=|!=)

and ERROR is not a field

0 Karma

New Member

Sample Event Result 1:
2017-04-15T19:19:51.669+0000 ERROR
unknown error..........................
.............something happened error

I am interested only the very first appearance of the Error in the row data

Not sure if it correct : getting actual result but it selects every error sample Event Result 1
index= index1 ERROR | regex _raw="\bERROR\b"

0 Karma


corrected grammar, try again.

0 Karma


Do you intend to perform case sensitive search? You can add the following to your base search CASE("*Error")


| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

not really,

I am interested only in the first occurance of the word error and error is not a field.

0 Karma

New Member

it would be helpful int the future

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...