I am working with a log format that contains some upstream and downstream request details, containing a URI and a variable number of other fields. The ones i am interested are all prefixed by the word 'backend_' with a latency value assigned.

I am looking to extract the dependencies to know that a single URIs in turn calls 1:n different named backends. I need the field names and not the values.

take 2 sample events like:

requestID=123 URI=/foo/ backend_x=10 backend_y=15 backend_z=20

requestID=124  URI=/foo/bar backend_z=10 backend_a=100

For each of these events, how can i list all backend field names that appear?

If i use this, it seems to grab only the first backend name found:

   foreach backend* [eval backend = "<<FIELD>>"]

If i use this, it seems to associate every found backend name to each event, not only the one(s) specific to that event.

foreach backend* [eval backend_<<MATCHSTR>> = "<<FIELD>>"]

Ultimately, I am after a table that would list request counts, backends used, by each URI.

I have found that I can use a regular expression to match each field and extract the name, but is there any additional way to use the existing field names and avoid the regex?

rex field=_raw max_match=100 "backend_(?<backend>[^\s=]+)"  

Thanks for any insights you can offer!