https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562376#M195586 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237199">@newtosplunk14</a>&nbsp;</P><P>Try this,</P><LI-CODE lang="markup">cf_app_name="preval" cf_space_name="prod" | regex "\/api\/work\/\d+"</LI-CODE><P>--</P><P>An upvote would be appreciated and Accept solution if this reply helps!&nbsp;</P> Fri, 06 Aug 2021 07:30:45 GMT venkatasri 2021-08-06T07:30:45Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562372#M195584 <P>I want to search for endpoints&nbsp;&nbsp;<SPAN class="t string h">/api/work/12345678 i.e api/work/(8 digt number). My below query gives me all the three endpoint in the logs. I just only want the ones that are&nbsp; /api/work/12345678.&nbsp;</SPAN></P><P><STRONG>Search Query -</STRONG> cf_app_name="preval" cf_space_name="prod" msg="*/api/jobs/*"&nbsp;</P><P><STRONG>My logs contain</STRONG></P><P><SPAN class="key-name">msg</SPAN><SPAN>:&nbsp;</SPAN><SPAN class="t string h">abc - [2021-08-06T06:49:11.529+0000] "GET /api/work/12345678/data HTTP/1.1" <SPAN>200 0 407 "-" "Java/1.8.0_222" </SPAN></SPAN></P><P><SPAN class="t string h"><SPAN class="key-name">msg</SPAN><SPAN>:&nbsp;</SPAN>abc - [2021-08-06T06:49:11.529+0000] "GET /api/work/12345678 HTTP/1.1"&nbsp; <SPAN>200 0 407 "-" "Java/1.8.0_222"</SPAN></SPAN></P><P><SPAN class="t string h"><SPAN class="key-name">msg</SPAN><SPAN>:&nbsp;</SPAN>abc - [2021-08-06T06:49:11.529+0000] "GET /api/work/12345678/photo HTTP/1.1"&nbsp;<SPAN>200 0 407 "-" "Java/1.8.0_222"</SPAN></SPAN></P><P><SPAN class="t string h"><SPAN>Thanks</SPAN></SPAN></P> Fri, 06 Aug 2021 07:15:01 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562372#M195584 newtosplunk14 2021-08-06T07:15:01Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562376#M195586 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237199">@newtosplunk14</a>&nbsp;</P><P>Try this,</P><LI-CODE lang="markup">cf_app_name="preval" cf_space_name="prod" | regex "\/api\/work\/\d+"</LI-CODE><P>--</P><P>An upvote would be appreciated and Accept solution if this reply helps!&nbsp;</P> Fri, 06 Aug 2021 07:30:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562376#M195586 venkatasri 2021-08-06T07:30:45Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562386#M195591 <P>If msg is a field which is already extracted, you can use this - note the \s in the pattern to terminate the URI</P><LI-CODE lang="markup">cf_app_name="preval" cf_space_name="prod" | regex msg="\/api\/work\/\d+\s"</LI-CODE> Fri, 06 Aug 2021 08:22:07 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562386#M195591 ITWhisperer 2021-08-06T08:22:07Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562393#M195596 <P>Thanks for your response Venkatasri. I tried but still returns all the events. I want the query to return one the first event in my log below.</P><P>my log is as below.&nbsp;</P><P><SPAN class="key level-1"><SPAN class="key-name">msg</SPAN>:<SPAN>&nbsp;</SPAN><SPAN class="t string">timestamp="2021-08-06T08:55:56.091Z", local_host="3deb5c54-c5f9-446d-6136-89ee", status="200", remote_host="70.132.29.36", client_id="7012430", subject_id="NO_SUBJECT_ID", service_access_id="ACCESS_USER", billing_event_sent="false", execution_time="3", <STRONG>uri="/api/work/16898540</STRONG>", app_env="prod", usage_log="preval"</SPAN></SPAN></P><P><SPAN class="key level-1"><SPAN class="t string"><SPAN class="key-name">msg</SPAN>:<SPAN>&nbsp;</SPAN>timestamp="2021-08-06T08:55:56.091Z", local_host="3deb5c54-c5f9-446d-6136-89ee", status="200", remote_host="70.132.29.36", client_id="7012430", subject_id="NO_SUBJECT_ID", service_access_id="ACCESS_USER", billing_event_sent="false", execution_time="3", <STRONG>uri="/api/work/16898540/data</STRONG>", app_env="prod", usage_log="preval"</SPAN></SPAN></P> Fri, 06 Aug 2021 09:16:46 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562393#M195596 newtosplunk14 2021-08-06T09:16:46Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562394#M195597 <LI-CODE lang="markup">cf_app_name="preval" cf_space_name="prod" | regex "uri=\"\/api\/work\/\d+\""</LI-CODE> Fri, 06 Aug 2021 09:21:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562394#M195597 ITWhisperer 2021-08-06T09:21:45Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562395#M195598 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237199">@newtosplunk14</a>&nbsp; try this</P><LI-CODE lang="markup">cf_app_name="preval" cf_space_name="prod" | regex uri="\/api\/work\/\d+$"</LI-CODE> Fri, 06 Aug 2021 09:22:07 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562395#M195598 venkatasri 2021-08-06T09:22:07Z https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562414#M195608 <P>Thanks heaps&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp; and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;. both your solutions worked brilliantly!</P> Fri, 06 Aug 2021 12:56:08 GMT https://community.splunk.com/t5/Splunk-Search/Search-an-endpoint-ending-with-numbers/m-p/562414#M195608 newtosplunk14 2021-08-06T12:56:08Z