Splunk Search

rex help??

Motivator

hi..

how can i tell splunk to pick the first occurence of regular expression from a single event.i have written a regular expression ,and in each single event i have two occurences of this rex expression..is it possbile to pick only the first occurence of rex expression??

if so cab you pls give me the syntax of the regular exp.

thnx.

Tags (1)

Builder

Have you used the max_match=1 option for rex?

If the time you're trying to extract is always the first timestamp, then try this:

your_search | rex max_match=1 "(?<timestamp>^\d\d:\d\d:\d\d)"

If you can post a sanitized event, we can help more.

0 Karma

Legend

@jpolvino, default value of max_match argument (if not specified) is 1 (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex). Which means even if there are multiple matches of regular expression in the same event, only the first match will be returned.

This being an old post from 2012, I would expect that it is already resolved by now ;). If not sample of data would definitely help and Regular Expression behavior can be tested on sites like regex101.com.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Legend

Have the regex cover the whole event even after your match until the end. That way you will get the section you want to grab from your regex, then the rest is matched as well. Sometehing like

(?<yourfield>matchingexpression).+$

Motivator

my events are not timestamped with the logtime gkanapathy..can you pls help me in picking up the first tag ..in my rex .

0 Karma

Splunk Employee
Splunk Employee

This is unnecessary, and expensive in the case of a long event (though of course most events aren't). Any regex will normally stop after the first match unless you specifically ask for multiple matches. This is the default behavior of rex as well as automatic extractions.

Actually, rakesh's problem in particular is not a problem of multiple matches. Probably it's just a bad regex. e.g., case-sensitivity, quoting.

I would also say there's probably a more fundamental solution where his events should probably be timestamped with the first logtime, and therefore he could probably use _time

0 Karma

Legend

I just told you that in my answer. What is it you don't understand in it?

0 Karma

Motivator

Can you me the extract query ??
my sample event is some thing like this .


12:10:12
......
.
.....
.....

23:20:10
......
......

I have created field like this.

sourcetype="sysdata" | rex field=_raw "logTime>(?[0-9:]*)<" | top LTIME

this is not giving me proper results.

In my sample event i want to extract the first occurence in my field LTIME .

i.e 12:10:12 in this case ..how can i do it ?

0 Karma

Builder

You haven't thought about teaching this stuff have you Ayn?! 😉
Seriously. It seems we cannot live without regex or Rex, but I have yet to see a solid tutorial, or masterclass on the advanced stuff. Maybe I missed something, it happens. gskinner.com is very useful....but..

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!