https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136159#M37238 <P>Hi the event i gave is just an example. Those parameter names would be different across different urls. So it won't work for all the urls</P> Sun, 10 Nov 2013 16:34:17 GMT xvxt006 2013-11-10T16:34:17Z https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136157#M37236 <P>Hi,</P> <P>I am trying to capture all query string names (but not values as a list). I tried the below expression but i think it is capturing only the first one but not the rest. Any help is appreciated</P> <P>rex field=uri "\?(?<QUERYSTRINGNAME>(?:([^?(?:=.*)&amp;]+)))" </QUERYSTRINGNAME></P> <P>Below is an example event. </P> <P>GET /Ntt-valve+Butterfly+Valves,?L1=Butterfly+Valves%25252C&amp;L2=Stainless-Steel&amp;Ndr=textsearchesinbase%252Btrue&amp;operator=prodIndexRefinementSearch&amp;originalValue=valve&amp;sst=All</P> <P>So i need<BR /> L1<BR /> L2<BR /> Ndr<BR /> operator<BR /> originalValue<BR /> sst</P> Sun, 10 Nov 2013 16:09:00 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136157#M37236 xvxt006 2013-11-10T16:09:00Z https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136158#M37237 <P>Based on the above example:</P> <PRE><CODE>rex field=uri "L1\=(?&lt;L1&gt;[\w\+\:\;\%\.]+)\&amp;L2\=(?&lt;L2&gt;[\w\+\:\;\%\.]+)\&amp;Ndr\=(?&lt;Ndr&gt;[\w\+\:\;\%\.]+)\&amp;operator\=(?&lt;operator&gt;[\w\+\:\;\%\.]+)\&amp;originalValue\=(?&lt;originalValue&gt;[\w\+\:\;\%\.]+)\&amp;sst\=?&lt;sst&gt;\w+) </CODE></PRE> Sun, 10 Nov 2013 16:31:32 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136158#M37237 ShaneNewman 2013-11-10T16:31:32Z https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136159#M37238 <P>Hi the event i gave is just an example. Those parameter names would be different across different urls. So it won't work for all the urls</P> Sun, 10 Nov 2013 16:34:17 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136159#M37238 xvxt006 2013-11-10T16:34:17Z https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136160#M37239 <P>Are all of the parameter names prefixed with a &amp;?</P> Sun, 10 Nov 2013 16:40:14 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136160#M37239 ShaneNewman 2013-11-10T16:40:14Z https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136161#M37240 <P>props.conf<BR /> <PRE><BR /> [yoursourcetype]<BR /> KV_MODE=auto<BR /> </PRE></P> <P>this is the default... so you really should be seeing all the fields from all the queries auto extracted.</P> <P>As Shane is getting at... if you want to do it deliberately, it looks like you have a very clear delimiter pattern where KEY is prefixed with an ampersand, value is prefixed with an equals sign. The exception is the first one which you could handle separately. </P> <P>There are two places you want to look to understand what we're thinking.</P> <P>At the config level - take a look <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf"> HERE </A><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf</A> <BR /><BR /> and search for "DELIM" and if you want to do it inline... then look at the various ways of handling DELIMs <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions">here </A><A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions</A></P> Sun, 10 Nov 2013 17:01:27 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-capturing-multiple-values/m-p/136161#M37240 rsennett_splunk 2013-11-10T17:01:27Z