@jpolvino, default value of max_match argument (if not specified) is 1 (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex). Which means even if there are multiple matches of regular expression in the same event, only the first match will be returned.

This being an old post from 2012, I would expect that it is already resolved by now ;). If not sample of data would definitely help and Regular Expression behavior can be tested on sites like regex101.com.

my events are not timestamped with the logtime gkanapathy..can you pls help me in picking up the first tag ..in my rex .

This is unnecessary, and expensive in the case of a long event (though of course most events aren't). Any regex will normally stop after the first match unless you specifically ask for multiple matches. This is the default behavior of rex as well as automatic extractions.

Actually, rakesh's problem in particular is not a problem of multiple matches. Probably it's just a bad regex. e.g., case-sensitivity, quoting.

I would also say there's probably a more fundamental solution where his events should probably be timestamped with the first logtime, and therefore he could probably use _time

I just told you that in my answer. What is it you don't understand in it?

Can you me the extract query ??
my sample event is some thing like this .

12:10:12
......
.
.....
.....

23:20:10
......
......

I have created field like this.

sourcetype="sysdata" | rex field=_raw "logTime>(?[0-9:]*)<" | top LTIME

this is not giving me proper results.

In my sample event i want to extract the first occurence in my field LTIME .

i.e 12:10:12 in this case ..how can i do it ?

You haven't thought about teaching this stuff have you Ayn?! 😉
Seriously. It seems we cannot live without regex or Rex, but I have yet to see a solid tutorial, or masterclass on the advanced stuff. Maybe I missed something, it happens. gskinner.com is very useful....but..