topic Re: Regex help involving double quote in Splunk Search

Regex help involving double quote

kmaron — Mon, 12 Jun 2017 14:50:11 GMT

I have a whole bunch of these and I need what comes after ?desktop= and before the "

- for this particular log I need UnderwritingICM

10.181.8.169 - E009239 [12/Jun/2017:10:41:53 -0400] "POST /navigator/jaxrs/plugin?repositoryId=UNDERWRITINGTARGETOS&caseId=70C09C5C-0100-C614-92F3-BEEC330CE13F&plugin=ICMAPIPlugin&action=CaseService&desktop=UnderwritingICM HTTP/1.1" 200 33444 "https://www.aoins.com/navigator/?desktop=UnderwritingICM" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 112093 2848 33869 48 + 10.7.44.250 PRDFNCM102.aoins.com:15108 -

However I can't seem to get that piece. I either get nothing or I get everything. I can't seem to get the regex to stop at the double quote.

When I put my regex into regex101 to test it this works

\?desktop=(?<DesktopName>.*?)"

but when I try to use that in Splunk I get unbalanced quotes

I tried a single slash to escape the quote and it comes back with nothing

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\""

I tried a double slash and it tells me I have unbalanced quotes

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\\""

And three gave me the same as one so ... I'm stumped.

Can anyone help with this?

Re: Regex help involving double quote

gauravsplunkarc — Mon, 12 Jun 2017 14:57:11 GMT

I would use this instead.
\?desktop=(?\S+?)"

Re: Regex help involving double quote

gauravsplunkarc — Mon, 12 Jun 2017 14:58:02 GMT

.* is greedy. use \S+ instead.

Re: Regex help involving double quote

cmerriman — Mon, 12 Jun 2017 15:01:45 GMT

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"

Re: Regex help involving double quote

mattiaslindblom — Mon, 12 Jun 2017 15:07:30 GMT

Seems to work ok here.

If I try that with ?desktop=UnderwritingICM" in an eval and using your first rex on that field, it works just fine.

Re: Regex help involving double quote

kmaron — Mon, 12 Jun 2017 15:08:16 GMT

I knew it was going to be something simple. Thank you!!!!

Re: Regex help involving double quote

mattiaslindblom — Mon, 12 Jun 2017 15:20:29 GMT

To me, your first rex looks fine, though, and should work.

Re: Regex help involving double quote

kmaron — Mon, 12 Jun 2017 15:24:12 GMT

None of them worked. They either error for unbalanced quotes or they list the field name under Interesting Fields but with a blank value.

Re: Regex help involving double quote

kmaron — Mon, 12 Jun 2017 16:32:28 GMT

That gives me unbalanced quotes

| rex field=_raw "\?desktop=(?\S+?)""

Re: Regex help involving double quote

kmaron — Mon, 12 Jun 2017 16:35:08 GMT

index=index host="host" | rex field=_raw "\?desktop=(?.*?)""

This gives me unbalanced quotes

index=index host="host" | rex field=_raw "\?desktop=(?.*?)"

This gives me the field name of DesktopName but the 'value' is blank
1 Value, 75.064% of events

Reports
Top values Top values by time Rare values
Events with this field
Values Count %

19,413 100%

Re: Regex help involving double quote

GauravSplunxter — Mon, 12 Jun 2017 17:44:03 GMT

formatting went bad.. I meant
| rex field=_raw "\?desktop=(?\S+)"

Re: Regex help involving double quote

GauravSplunxter — Mon, 12 Jun 2017 17:44:43 GMT

it's happening again.

Re: Regex help involving double quote

GauravSplunxter — Mon, 12 Jun 2017 17:45:37 GMT

I downvoted this post because the command is not showing up properly on the page after i click submit.

Re: Regex help involving double quote

kmaron — Mon, 12 Jun 2017 17:46:55 GMT

does it work if you post it as code?