Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex not stopping capture after match

ea-2023
Path Finder
‎02-19-2024 03:52 PM

I'm not sure why rex is properly matching the beginning of the value I am looking for (NameofTeam), but it also matches and includes everything after it. As I understand it, my search should stop matching when it reaches "}, after matching the team name. What am I doing wrong?

 

index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?<Team>.+)\"},"

 

Sample Data:

{"Key": "OtherKey", "ValueString": "OtherValue"}, {"Key": "Owner", "ValueString": "NameofTeam"}, {"Key": "OtherKey", "ValueString": "OtherValue"},

Expected Output:

NameofTeam

Actual Output:

NameofTeam"}, {"Key": "OtherKey", "ValueString": "OtherValue"},

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2024 05:42 PM

The + quantifier is greedy, meaning it will match as many characters as possible.  So you'll get everything from NameofTeam until the end of the data.  To avoid that, use the non-greedy quantifier +?, even better, change the pattern to match until the next quotation mark.

index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?<Team>.+?)\"},"
index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?<Team>[^"]+)\"},"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎02-21-2024 07:42 AM

You can try this regex also : 

"Key":\s*"Owner",\s*"ValueString":\s*"(?<Team_Name>[^"]*)"

RegexRegex

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2024 05:42 PM

The + quantifier is greedy, meaning it will match as many characters as possible.  So you'll get everything from NameofTeam until the end of the data.  To avoid that, use the non-greedy quantifier +?, even better, change the pattern to match until the next quotation mark.

index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?<Team>.+?)\"},"
index=test | rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?<Team>[^"]+)\"},"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ea-2023
Path Finder
‎02-20-2024 10:33 AM

The first one did end up working for me. The second one for whatever reason was throwing Error in 'SearchParser': Mismatched ']'. Not a big deal for me since the first one works, but figured I'd mention it.

| rex field=_raw "Key\": \"Owner\", \"ValueString\": \"(?<Owner>[^"])\"},"


The second one is what I thought I was doing... capturing everything until it saw "},   🙂

Thank you for helping me with this!

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2024 05:24 AM

The second rex command probably needs additional escaping, but since the first works for you we'll leave it at that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...