Solved: rex stop after first match

poisar · ‎12-03-2020

i have a field with several strings like

fieldname = AT-field2-field3

fieldname = DE-field2

fieldname = DE-field2-field3-field4

etc...

I try to get a rex to just get the country code:

|rex field=fieldname "^(?<country>.*)-.*"

but the result is not just the Country Code

any ideas?

richgalloway · ‎12-03-2020

The .* operator is greedy so it will grab as many characters as it can that still match the expression. One solution is to use the non-greedy quantifier.

|rex field=fieldname "^(?<country>.*?)-.*"

Another solution is to take everything up to the first hyphen. Like this:

| rex field=fieldname "^(?<country>[^-]+)-"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-03-2020

The .* operator is greedy so it will grab as many characters as it can that still match the expression. One solution is to use the non-greedy quantifier.

|rex field=fieldname "^(?<country>.*?)-.*"

Another solution is to take everything up to the first hyphen. Like this:

| rex field=fieldname "^(?<country>[^-]+)-"

---
If this reply helps you, Karma would be appreciated.

poisar · ‎12-03-2020

thank you for your input. Both variants work and i learned something new 🙂

rex stop after first match

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation