https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286286#M86676 <P>That works! How could I make so that the user could search url_parameters without typing the rex command? Can this be added to props.conf or transforms.conf?</P> <P>In the meantime you have given me a great head start!</P> Thu, 07 Apr 2016 20:36:12 GMT DPWSplunkPOC 2016-04-07T20:36:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286283#M86673 <P>I want to extract the field names from a URL's parameters. For example my raw event might look like this:</P> <P>action=accept host=myserver timestamp=01/01/2016:12:00:00 src_ip=1.1.1.1 domain=mydomain process=GET url=mywebpage.com/requestedpage.resquest?<STRONG>field1</STRONG>=value1&amp;<STRONG>field2</STRONG>=value2&amp;<STRONG>field3</STRONG>=value3</P> <P>I would like the regex to capture all field names from the parameters into one capture group called url_parameter. </P> <P>I have the following regex:</P> <PRE><CODE>^[^\?\n]\*\?(?P&lt;\url_parameter\&gt;\w+)*(?:[^&amp;\n]\*&amp;(\w+)) </CODE></PRE> <P>*Note I added slashes around url_parameter because it looked like an HTML tag.</P> <P>It captures the first field after the question mark and places it in url_parameter capture group. It captures the the second field in a different capture group. Finally it does not capture field 3 or any number of remaining fields in the parameter. I'm far from a regex expert but I'm trying to teach myself. Any help is appreciated. Thank you in advance.</P> Thu, 07 Apr 2016 20:19:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286283#M86673 DPWSplunkPOC 2016-04-07T20:19:21Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286284#M86674 <P>Try something like this</P> <PRE><CODE>your base search | rex "^[^\?\n]*\?(?P&lt;url_parameter&gt;\S+)" | rex max_match=0 field=url_parameter "(?&lt;url_parameter&gt;\w+)=" </CODE></PRE> Thu, 07 Apr 2016 20:24:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286284#M86674 somesoni2 2016-04-07T20:24:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286285#M86675 <P>Hi,</P> <P>Try this:</P> <PRE><CODE>your search here | rex max_match=0 "(?msi)(?&lt;url_parameter&gt;field\d)" </CODE></PRE> <P>It'll create a multvalue field with all your field names that you can later on used the way you like.</P> Thu, 07 Apr 2016 20:30:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286285#M86675 javiergn 2016-04-07T20:30:05Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286286#M86676 <P>That works! How could I make so that the user could search url_parameters without typing the rex command? Can this be added to props.conf or transforms.conf?</P> <P>In the meantime you have given me a great head start!</P> Thu, 07 Apr 2016 20:36:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286286#M86676 DPWSplunkPOC 2016-04-07T20:36:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286287#M86677 <P>See this Splunk documentation page<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Handling_events_with_multivalue_fields">http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Handling_events_with_multivalue_fields</A></P> <P>Props.conf</P> <PRE><CODE>[yoursourcetype] REPORT-urlparams = geturlparams </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE>[geturlparams] REGEX = (?&lt;url_parameter&gt;\w+)= MV_ADD = true </CODE></PRE> Thu, 07 Apr 2016 20:45:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-regex-to-extract-URL-parameter-field-names/m-p/286287#M86677 somesoni2 2016-04-07T20:45:57Z