Splunk Search

rex help??

rakesh_498115
Motivator

hi..

how can i tell splunk to pick the first occurence of regular expression from a single event.i have written a regular expression ,and in each single event i have two occurences of this rex expression..is it possbile to pick only the first occurence of rex expression??

if so cab you pls give me the syntax of the regular exp.

thnx.

Tags (1)

jpolvino
Builder

Have you used the max_match=1 option for rex?

If the time you're trying to extract is always the first timestamp, then try this:

your_search | rex max_match=1 "(?<timestamp>^\d\d:\d\d:\d\d)"

If you can post a sanitized event, we can help more.

0 Karma

niketn
Legend

@jpolvino, default value of max_match argument (if not specified) is 1 (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex). Which means even if there are multiple matches of regular expression in the same event, only the first match will be returned.

This being an old post from 2012, I would expect that it is already resolved by now ;). If not sample of data would definitely help and Regular Expression behavior can be tested on sites like regex101.com.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Ayn
Legend

Have the regex cover the whole event even after your match until the end. That way you will get the section you want to grab from your regex, then the rest is matched as well. Sometehing like

(?<yourfield>matchingexpression).+$

rakesh_498115
Motivator

my events are not timestamped with the logtime gkanapathy..can you pls help me in picking up the first tag ..in my rex .

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This is unnecessary, and expensive in the case of a long event (though of course most events aren't). Any regex will normally stop after the first match unless you specifically ask for multiple matches. This is the default behavior of rex as well as automatic extractions.

Actually, rakesh's problem in particular is not a problem of multiple matches. Probably it's just a bad regex. e.g., case-sensitivity, quoting.

I would also say there's probably a more fundamental solution where his events should probably be timestamped with the first logtime, and therefore he could probably use _time

0 Karma

Ayn
Legend

I just told you that in my answer. What is it you don't understand in it?

0 Karma

rakesh_498115
Motivator

Can you me the extract query ??
my sample event is some thing like this .


12:10:12
......
.
.....
.....

23:20:10
......
......

I have created field like this.

sourcetype="sysdata" | rex field=_raw "logTime>(?[0-9:]*)<" | top LTIME

this is not giving me proper results.

In my sample event i want to extract the first occurence in my field LTIME .

i.e 12:10:12 in this case ..how can i do it ?

0 Karma

DaveSavage
Builder

You haven't thought about teaching this stuff have you Ayn?! 😉
Seriously. It seems we cannot live without regex or Rex, but I have yet to see a solid tutorial, or masterclass on the advanced stuff. Maybe I missed something, it happens. gskinner.com is very useful....but..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...