Thanks Rich!

I have the following search now -

index="prod" host="prod-as**" "*succeeded" "app=oraapp" | rex field=target "name=(?<MyFileName>[^,]*)" | search MyFileName=*%*

But it's not working. It is showing "No results found".

I tried to see if the search is showing any result with "%" in it. I ran this query -

index="prod" host="prod-as**" "*succeeded" "app=oraapp" | rex field=target "name=(?<MyFileName>[^,]*)" | stats count by name

Found the result -
1213 Iriquois Dr%2C PHOTO 1

15%25

But when I try to look at the stats using "MyFileName", its not returning any result. It is showing "No results found".

index="prod" host="prod-as**" "*succeeded" "app=oraapp" | rex field=target "name=(?<MyFileName>[^,]*)" | stats count by MyFileName

Does this mean that MyFileName is not being populated?

Can you provide a couple more of the raw events, preferably the whole or at least most of the event? Might just be a little detail was overlooked and with that I can retest in a while.

Thanks

Yes, so it looks like you are using a rex that looks for a string "name=" followed by characters that aren't commas. "name=(?<MyFileName>[^,]*)" So if given an event like

age=23,name=billy,height=tall

It would pull a field MyFileName of "billy". I know the example ended up silly, but that's OK. 🙂

But your initial pasting of events shows they look like

age=23&name=billy&height=tall

So you need to make sure you are looking for the string "name=" then characters up to but not including an ampersand. Like "name=(?<MyFileName>[^&]*)" .

Unless the initial pastes were of the wrong data or got funged up during pasting. So in either way, if you have further problems if you could paste in new event samples that would be great. Of course, we'll just hope it all works!

BTW, I put this stuff up into regex101.com so you can see how it determined what was matching, and this is off the original data way up in the question.