Solved: rex stop after first match

poisar · ‎12-03-2020

i have a field with several strings like

fieldname = AT-field2-field3

fieldname = DE-field2

fieldname = DE-field2-field3-field4

etc...

I try to get a rex to just get the country code:

|rex field=fieldname "^(?<country>.*)-.*"

but the result is not just the Country Code

any ideas?

richgalloway · ‎12-03-2020

The .* operator is greedy so it will grab as many characters as it can that still match the expression. One solution is to use the non-greedy quantifier.

|rex field=fieldname "^(?<country>.*?)-.*"

Another solution is to take everything up to the first hyphen. Like this:

| rex field=fieldname "^(?<country>[^-]+)-"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-03-2020

The .* operator is greedy so it will grab as many characters as it can that still match the expression. One solution is to use the non-greedy quantifier.

|rex field=fieldname "^(?<country>.*?)-.*"

Another solution is to take everything up to the first hyphen. Like this:

| rex field=fieldname "^(?<country>[^-]+)-"

---
If this reply helps you, Karma would be appreciated.

poisar · ‎12-03-2020

thank you for your input. Both variants work and i learned something new 🙂

rex stop after first match

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!