Above provide regex doesn't work for full payload.

@gcusello  please help me with regex for below event data.

{"resource_id": "/subscriptions/8507b6fe-9b2b-48aa-81a6-80622a0ca5f1/resourceGroups/vg-weu-abcprod-rg/providers/Microsoft.Web/sites/abcProdUI", "metric_name": "AppConnections", "timeStamp": "2026-03-11T07:15:00Z", "subscription_id": "8507b6fe-9b2b-48aa-81a6-80622a0ca5f1", "unit": "Count", "namespace": "mic.web/sites", "resource_group": "vg-weu-abcprod-rg", "average": 0}
{"resource_id": "/subscriptions/da646143-7fd9-4219-bm72-bdd97951cf91/resourceGroups/gip-prod/providers/Microsoft.Web/sites/splunk-front-prod", "metric_name": "AppConnections", "timeStamp": "2026-03-11T07:15:00Z", "subscription_id": "da646143-7fd9-4219-bm72-bdd97951cf91", "unit": "Count", "namespace": "mic.web/sites", "resource_group": "splunk-prod", "average": 0}

Since this is JSON, and assuming it is treated as such, you could use split and mvindex to get the last part

| eval splunk_entity=mvindex(split(resource_id,"/"),-1)

Hi @RSS_STT ,

please try this:

\"resource_id\":\s+\".*\/(?<splunk_entity>[^\"]+)\",\s+\"metric_name

that you can test at https://regex101.com/r/Am82qD/2

Ciao.

Giuseppe

Always best to provide full information!

Try this:

\"resource_id\":\s+\"[^\"]*\/(?<splunk_entity>[^\"]+)