How to create a regex that gives the count, if the...

sanvica · ‎03-30-2022

Hi Experts,

I have an issue with the search string, I have a url text like below and I need to filter that out using regex. I am not able to create a regex that would give the count if the url string has two question mark symbols, not consecutive though.

/shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)&cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s

Thanks

yuanliu · ‎03-31-2022

To count how many occurrences, use mvcount

| rex field=url max_match=0 "\?(?<param>[^?]+)"
| eval qcount = mvcount(param)

e.g., url="/shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)&cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s" gives

param	qcount	url
filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)&cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s	1	/shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)&cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s

whereas url="/shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)?cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X👖X:JEAN:X:JanWk4AABBBs15s" gives

param	qcount	url
filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22) cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s	2	/shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)?cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s

ITWhisperer · ‎03-31-2022

| regex url="\?[^\?]+\?"

How to create a regex that gives the count, if the url string has two question mark symbols (not consecutive though)?

regex

rex

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

How to create a regex that gives the count, if the url string has two question mark symbols (not consecutive though)?

regex

rex

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!