https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680516#M232597 <P><A href="https://regex101.com/r/vFdbh7/1" target="_blank">https://regex101.com/r/vFdbh7/1</A></P><LI-CODE lang="markup">| rex "\"address\":\"(?&lt;api&gt;[\w\/:]+?)(?=([a-z0-9]+\-[a-z0-9-]+)|$)"</LI-CODE> Wed, 13 Mar 2024 10:06:10 GMT ITWhisperer 2024-03-13T10:06:10Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680510#M232593 <P>I've below 3 different types of API logs where I've to treat all 3 as same and get the count of the API.<BR /><BR />There are multiple versions of same API along with or without user guid which is a unique value.</P><UL><LI>"address":"<A href="http://test/services/user/" target="_blank">http://test/services/user/</A><STRONG>v1</STRONG>/deleteUser/342ad-123m4-r43rm-144dgdg</LI><LI>"address":"<A href="http://test/services/user/" target="_blank">http://test/services/user/</A><STRONG>v2</STRONG>/deleteUser/delete/342ad-123m4-r43rm-144dgdg</LI><LI>"address":"<A href="http://test/services/user/" target="_blank">http://test/services/user/</A><STRONG>v2</STRONG>/deleteUser</LI></UL><P>Looing for a regex which reads the API until the alphanumeric string starts. In short , if I do stats count by API it should give the count as 3.</P><P>&nbsp;</P> Wed, 13 Mar 2024 09:30:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680510#M232593 Deprasad 2024-03-13T09:30:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680513#M232595 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/38204">@Deprasad</a>,</P><P>please try this regex:</P><LI-CODE lang="markup">| rex "\"address\":\"(?&lt;uri&gt;https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/Umz02I/1" target="_blank">https://regex101.com/r/Umz02I/1</A></P><P>if you already extracted the full APP value (and it's called "api_url "), you can use a different regex</P><LI-CODE lang="markup">| rex field=api_url "(?&lt;uri&gt;https*:\/\/[^\/]+\/[^\/]+\/[^\/]+)"</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Wed, 13 Mar 2024 09:52:12 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680513#M232595 gcusello 2024-03-13T09:52:12Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680516#M232597 <P><A href="https://regex101.com/r/vFdbh7/1" target="_blank">https://regex101.com/r/vFdbh7/1</A></P><LI-CODE lang="markup">| rex "\"address\":\"(?&lt;api&gt;[\w\/:]+?)(?=([a-z0-9]+\-[a-z0-9-]+)|$)"</LI-CODE> Wed, 13 Mar 2024 10:06:10 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680516#M232597 ITWhisperer 2024-03-13T10:06:10Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680528#M232602 <P>Thanks a lot! This regex works for the given example.&nbsp;<BR /><BR />I've another pattern like this&nbsp;"<STRONG>address":"<A href="http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg" target="_blank">http://test-query-service.xxx-xxx.xxx.xxx.com/services/user/v1/deleteUser/342ad-123m4-r43rm-144dgdg</A>"</STRONG> for which I'm trying to implement the regex you've given by modifying slightly but couldn't achieve the same result.<BR /><BR />Can you please help here? Also can you please break down the regex for my better understanding.</P> Wed, 13 Mar 2024 11:49:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680528#M232602 Deprasad 2024-03-13T11:49:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680540#M232609 <P>How much of this is real? For example, do you really have hyphens in the host name of the address? Are they the only place where hyphens occur apart from the end part?</P><P>Are there any other representative examples you wish to be considered?</P> Wed, 13 Mar 2024 13:10:35 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680540#M232609 ITWhisperer 2024-03-13T13:10:35Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680549#M232613 <P>Yes, I've hyphens and a full stop on the hostname that needs to be considered.&nbsp;<BR /><BR />So far identified those 4 patterns and that should be it.</P> Wed, 13 Mar 2024 13:48:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-to-skip-alphanumeric-string/m-p/680549#M232613 Deprasad 2024-03-13T13:48:13Z