https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403737#M169354 <P>10.1.151.100 [18/May/2018:09:09:57 +0200] "GET <A href="http://example.com/DCQ/templates/GetAggregated?channel=TV&amp;contentId=4ek4k4&amp;lang=eng" target="_blank">http://example.com/DCQ/templates/GetAggregated?channel=TV&amp;contentId=4ek4k4&amp;lang=eng</A> HTTP/1.1" 200 2856 hit 0.000111 hit - 154.176.135.239<BR /> 10.1.51.16 [18/May/2018:09:20:42 +0200] "GET <A href="http://video-play.vodacom.co.za/AVS/besc?action=GetIsFavorite&amp;channel=IPHONE&amp;contentId=1200668" target="_blank">http://video-play.vodacom.co.za/AVS/besc?action=GetIsFavorite&amp;channel=IPHONE&amp;contentId=1200668</A> HTTP/1.1" 200 113 miss 0.007757 miss - 19.392.33.103<BR /> 10.1.51.16 [18/May/2018:08:37:51 +0200] "GET <A href="http://example.com/AVS/besc?username=00007&amp;channel=ANDROID&amp;action=GetAccountList" target="_blank">http://example.com/AVS/besc?username=00007&amp;channel=ANDROID&amp;action=GetAccountList</A> HTTP/1.1" 200 1516 miss 0.030941 miss - 203.122.32.11</P> <P>I tried this but it does not print the ones with action=&lt;&gt; that are at the end of the url. <BR /> index=index-name_idx earliest=-1h | rex "(?i)action=(?P[^&amp;]+)" |stats count by test<BR /> index=index-name_idx earliest=-1h | rex "(?i)action=(?P[^&amp;]+|[\s]+)" |stats count by test</P> <P>The result i get is: <BR /> CheckSession 444<BR /> DeleteFavourite 1<BR /> GetAccountList 116<BR /> GetAccountList HTTP/1.1" 200 1516 miss 0.030941 miss - 119.92.253.103 1<BR /> GetAccountList HTTP/1.1" 200 1898 miss 0.029884 miss - 119.92.253.103 1<BR /> GetAccountList HTTP/1.1" 200 1902 miss 0.023020 miss - 119.92.253.103 1</P> <P>I want result for action=&lt;&gt; anything sorted by channel= and count but the key action could be anywhere in the URL and hence i dont get the exact count. </P> <P>How do we use regex to find action=&lt;&gt; if it is at the end of the URL. </P> Tue, 29 Sep 2020 19:34:45 GMT panandshah 2020-09-29T19:34:45Z https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403737#M169354 <P>10.1.151.100 [18/May/2018:09:09:57 +0200] "GET <A href="http://example.com/DCQ/templates/GetAggregated?channel=TV&amp;contentId=4ek4k4&amp;lang=eng" target="_blank">http://example.com/DCQ/templates/GetAggregated?channel=TV&amp;contentId=4ek4k4&amp;lang=eng</A> HTTP/1.1" 200 2856 hit 0.000111 hit - 154.176.135.239<BR /> 10.1.51.16 [18/May/2018:09:20:42 +0200] "GET <A href="http://video-play.vodacom.co.za/AVS/besc?action=GetIsFavorite&amp;channel=IPHONE&amp;contentId=1200668" target="_blank">http://video-play.vodacom.co.za/AVS/besc?action=GetIsFavorite&amp;channel=IPHONE&amp;contentId=1200668</A> HTTP/1.1" 200 113 miss 0.007757 miss - 19.392.33.103<BR /> 10.1.51.16 [18/May/2018:08:37:51 +0200] "GET <A href="http://example.com/AVS/besc?username=00007&amp;channel=ANDROID&amp;action=GetAccountList" target="_blank">http://example.com/AVS/besc?username=00007&amp;channel=ANDROID&amp;action=GetAccountList</A> HTTP/1.1" 200 1516 miss 0.030941 miss - 203.122.32.11</P> <P>I tried this but it does not print the ones with action=&lt;&gt; that are at the end of the url. <BR /> index=index-name_idx earliest=-1h | rex "(?i)action=(?P[^&amp;]+)" |stats count by test<BR /> index=index-name_idx earliest=-1h | rex "(?i)action=(?P[^&amp;]+|[\s]+)" |stats count by test</P> <P>The result i get is: <BR /> CheckSession 444<BR /> DeleteFavourite 1<BR /> GetAccountList 116<BR /> GetAccountList HTTP/1.1" 200 1516 miss 0.030941 miss - 119.92.253.103 1<BR /> GetAccountList HTTP/1.1" 200 1898 miss 0.029884 miss - 119.92.253.103 1<BR /> GetAccountList HTTP/1.1" 200 1902 miss 0.023020 miss - 119.92.253.103 1</P> <P>I want result for action=&lt;&gt; anything sorted by channel= and count but the key action could be anywhere in the URL and hence i dont get the exact count. </P> <P>How do we use regex to find action=&lt;&gt; if it is at the end of the URL. </P> Tue, 29 Sep 2020 19:34:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403737#M169354 panandshah 2020-09-29T19:34:45Z https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403738#M169355 <P>@panandshah, please use the Code button ie. button with <CODE>101010</CODE> or shortcut key <CODE>CTRL+K</CODE> while posting data or code so that special characters do not escape.</P> <P>Based on the data sample provided, can you try the following regex?</P> <PRE><CODE> index=index-name_idx earliest=-1h | | rex "action=(?&lt;action&gt;[^\&amp;\s]+)[&amp;|\s]" </CODE></PRE> <P>What is the action field in the first example is there a pattern for that?<BR /> Also the third data has <CODE>channel=ANDROID∾tion=GetAccountList</CODE> is the <CODE>∾</CODE> character actually present in your raw data or is it due to copy paste and the character is actually <CODE>ac</CODE>.?<BR /> Do you need to extract <CODE>channel</CODE> as well?</P> Fri, 18 May 2018 09:02:57 GMT https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403738#M169355 niketn 2018-05-18T09:02:57Z https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403739#M169356 <P>That works indeed!! Thanks</P> Fri, 18 May 2018 14:58:47 GMT https://community.splunk.com/t5/Splunk-Search/Regex-string-end-of-the-url-and-in-between/m-p/403739#M169356 panandshah 2018-05-18T14:58:47Z