https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352924#M104465 <P>This helped,made some changes to it..Thanks</P> Thu, 01 Feb 2018 16:43:59 GMT vrmandadi 2018-02-01T16:43:59Z https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352920#M104461 <P>I have the below sample data, and I want to extract everything after the service URL till <CODE>maxd=60&amp;mind=60</CODE> into a new field called <CODE>service</CODE>.</P> <P>I have used (?i) url: (?P.+?)\w+= but it is not extracting completly</P> <PRE><CODE>31 Jan 2018 20:22:13 [INFO ] AD Transaction: timestamp: 1513204259, transactionID: 2899739, reqID: 3022368026, uuid: 72dca744-b342-4aac-9861-005056b21335, type: ad request, transaction: start, service url: <A href="http://mrm.mdc.time.com/ad/p/1?nw=376521&amp;mode=live&amp;vdur=600&amp;flag=+sltp+amsl+ssus+amcb+dtrd&amp;metr=1031&amp;prof=376521:twc_hls_live&amp;caid=SCI_LIVE&amp;csid=stva_ios_tab_live&amp;resp=vmap1&amp;pvrn=72dca744-b342-4aac-9861-005056b21335&amp;vprn=72dca744-b342-4aac-9861-005056b21335&amp;vcid=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vcid2=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vip=24.211.233.182;;&amp;ptgt=a&amp;slau=midroll&amp;slid=3545782&amp;cpsq=1513204259&amp;maxd=60&amp;mind=60" target="test_blank">http://mrm.mdc.time.com/ad/p/1?nw=376521&amp;mode=live&amp;vdur=600&amp;flag=+sltp+amsl+ssus+amcb+dtrd&amp;metr=1031&amp;prof=376521:twc_hls_live&amp;caid=SCI_LIVE&amp;csid=stva_ios_tab_live&amp;resp=vmap1&amp;pvrn=72dca744-b342-4aac-9861-005056b21335&amp;vprn=72dca744-b342-4aac-9861-005056b21335&amp;vcid=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vcid2=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vip=24.211.233.182;;&amp;ptgt=a&amp;slau=midroll&amp;slid=3545782&amp;cpsq=1513204259&amp;maxd=60&amp;mind=60</A>, client url: <A href="http://mmdai-linear-west-01.time.com" target="test_blank">http://mmdai-linear-west-01.time.com</A> </CODE></PRE> Wed, 31 Jan 2018 21:00:33 GMT https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352920#M104461 vrmandadi 2018-01-31T21:00:33Z https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352921#M104462 <P>How about trying this:</P> <PRE><CODE>your query to return events | rex "service url:\s*(?&lt;service&gt;.*)&amp;maxd=60&amp;mind=60" | table service </CODE></PRE> <P>see extraction <A href="https://regex101.com/r/2GK0SZ/2">here</A></P> Wed, 31 Jan 2018 21:13:30 GMT https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352921#M104462 gokadroid 2018-01-31T21:13:30Z https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352922#M104463 <P>try this also:</P> <PRE><CODE>...| rex "(?i)service url:\s*(?&lt;service&gt;.*)&amp;maxd=60&amp;mind=60" </CODE></PRE> Thu, 01 Feb 2018 02:22:16 GMT https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352922#M104463 493669 2018-02-01T02:22:16Z https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352923#M104464 <P>hey try this run anywhere search</P> <PRE><CODE>| makeresults | eval _raw="31 Jan 2018 20:22:13 [INFO ] AD Transaction: timestamp: 1513204259, transactionID: 2899739, reqID: 3022368026, uuid: 72dca744-b342-4aac-9861-005056b21335, type: ad request, transaction: start, service url: <A href="http://mrm.mdc.time.com/ad/p/1?nw=376521&amp;mode=live&amp;vdur=600&amp;flag=+sltp+amsl+ssus+amcb+dtrd&amp;metr=1031&amp;prof=376521:twc_hls_live&amp;caid=SCI_LIVE&amp;csid=stva_ios_tab_live&amp;resp=vmap1&amp;pvrn=72dca744-b342-4aac-9861-005056b21335&amp;vprn=72dca744-b342-4aac-9861-005056b21335&amp;vcid=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vcid2=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vip=24.211.233.182;;&amp;ptgt=a&amp;slau=midroll&amp;slid=3545782&amp;cpsq=1513204259&amp;maxd=60&amp;mind=60" target="test_blank">http://mrm.mdc.time.com/ad/p/1?nw=376521&amp;mode=live&amp;vdur=600&amp;flag=+sltp+amsl+ssus+amcb+dtrd&amp;metr=1031&amp;prof=376521:twc_hls_live&amp;caid=SCI_LIVE&amp;csid=stva_ios_tab_live&amp;resp=vmap1&amp;pvrn=72dca744-b342-4aac-9861-005056b21335&amp;vprn=72dca744-b342-4aac-9861-005056b21335&amp;vcid=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vcid2=ff5cac5c-8dfe-31c5-a497-8bf8be88095a&amp;vip=24.211.233.182;;&amp;ptgt=a&amp;slau=midroll&amp;slid=3545782&amp;cpsq=1513204259&amp;maxd=60&amp;mind=60</A>, client url: <A href="http://mmdai-linear-west-01.time.com&quot;" target="test_blank">http://mmdai-linear-west-01.time.com"</A>; | rex field=_raw "service\surl\:\s+(?&lt;service_URL&gt;.*)&amp;maxd=60&amp;mind=60" </CODE></PRE> <P>In your environment, you should write</P> <PRE><CODE>&lt;base_search&gt; | rex field=_raw "service\surl\:\s+(?&lt;service_URL&gt;.*)&amp;maxd=60&amp;mind=60" </CODE></PRE> <P>let me know if this helps!</P> Thu, 01 Feb 2018 06:24:08 GMT https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352923#M104464 mayurr98 2018-02-01T06:24:08Z https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352924#M104465 <P>This helped,made some changes to it..Thanks</P> Thu, 01 Feb 2018 16:43:59 GMT https://community.splunk.com/t5/Splunk-Search/help-with-regex/m-p/352924#M104465 vrmandadi 2018-02-01T16:43:59Z