It sounds like you want to extract as many key-value pairs as there may be in the query portion of a URL
If this is correct, here’s a way to approach it:
index=ndx sourcetype=srctp url=*
| eval query=split(url,"?")
| eval query=mvindex(query,-1)
| rex field=query max_match=0 "(?<pair>[^&]+)"
| mvexpand pair
Alternatively, if you have a reason to want to split them out/change the = to, say, a |:
index=ndx sourcetype=srctp url=*
| eval query=split(url,"?")
| eval query=mvindex(query,-1)
| rex field=query max_match=0 "(?<key>[^=]+)\=(?<value>[^=]+)"
| eval pair=mvzip(key,value," | ")
| mvexpand pair
<rest of search>
By running split on the URL against the ? character, you’ll get the base URL and the query string (if there is any)
Selecting the last index in the multivalue field (via mvindex), you’ll get just the query string, unless there was no query string, in which case you’ll get the base URL. If there were no query present, the first regular expression will return the entire URL as the pair field, and the second rex call should return nothing (since it won’t find an = sign in the URL).
By using max_match with rex, you’ll get back a [possibly] multivalue field of results
Since all arguments in a URL query string have to be separated with a &, this should work across most examples
from User warren – Stack Overflow https://stackoverflow.com/questions/71511990/regular-expression-for-url-query-params-that-differ-in-size-order-and-topic/71512596#71512596
via IFTTT