However, it seems to be confused with cases where there is a quotation mark in the url. It includes part of the x_webcat_code_full as part of the URL. For example the cs_url ends with &dL_inYP=13. This is followed by a space and the x_webcat_code_full which is "Search Engines and Portals"
The app is extracting the cs_url as &dL_inY=555&dL_inYP=13 "Search
It then stores Engines as the x_webcat_code_full and Portals" as the x_webroot_threat_name.
There is a space after the URL so why does it think that the "Search is part of the URL? Any help would be appreciated.
* NOTE: This attribute is only valid for search-time field extractions.
* IMPORTANT: If a value may contain an embedded unescaped double quote
character, such as "foo"bar", use
REGEX, not DELIMS. An escaped double
quote (\") is ok.
This is one of the many reasons why W3C log format is so horrible. Perhaps a SEDCMD on the input to escape those quotes?