This post is for the team managing the WebSense content gateway add on, and for anyone else who experiences this issue.
For the websense:cg:kv sourcetype, the fields are been auto-extracted by the key=value method, as per Splunk's default.
The issue we are hitting with this is some URL's include the ampersand symbol, or &.
Due to this the entries such as:
url=http://pixel.yabidos.com/nflrc.gif?cb=1479701935398&ver=1.0r5&qid=636373f5936373f5930353&p=8CU3827QO...
Beomes many fields, the url becomes:
http://pixel.yabidos.com/nflrc.gif?cb=1479701935398
Which is problematic, we are working around this by creating the extraction:
url=(?P\S+)
But perhaps the application needs an update to handle this scenario.
The question is actually answered in the post, however I would like a comment from anyone managing the application or anyone else expericing the issue...
The question is actually answered in the post, however I would like a comment from anyone managing the application or anyone else expericing the issue...