Hi, I'm struggling to get a complete extraction on any fields that contain double quotes.
The payload:
2021-05-25 07:59:04.000, auditId="17864172953", groups_groupId="4639", groupName="some group name", people_personId="625841", users_userId="152321", userLogin="field-removed", userStaffFlag="false", auditIP="111.222.333.444", auditMod="Module", auditMessage="Module: "mod1" is not present in a check, Module: "mod2" is not present in a check, Module: "mod3" is not present in a check, Module: "mod4" is not present in a check, Module: "mod5" is not present in a check, Module: "mod6" is not present in a check, Module: "mod7" is not present in a check, Module: "mod8" is not present in a check, Module: "mod9" is not present in a check, Module: "mod10" is not present in a check", auditDate="2021-05-25 07:59:04.0", auditType="info", auditRID="88827e1f-d157-46d5-b1b4-20b91d4440a4", auditMicroSeconds="0.0000"
In this example, it's the "auditMessage" key that will not extract completely and stops at the first "Module: "<--
The REGEX (\w+)="(.*?)" Gets me most of the way there (regx101), but doesn't work in splunk.
My Fu has failed me.
So after a little more reading, this is a known issue with DBConnect. The official work around is to use KV_MODE and then apply a search time extraction for the problematic fields.
auditMessage="(?P<auditMessage>.+?)",
Would you believe you're only missing a comma? This works in regex101.com
(\w+)="(.*?)",
HI Rich, Thanks for the response. I had already done that, works in reg101 but not in splunk
I've also come up with (?:([\w+]+)=(?:\")(.+?)(?:\",\s|\"$)) which does exactly what I want on reg101 , but again doesn't work the same in Splunk.
So after a little more reading, this is a known issue with DBConnect. The official work around is to use KV_MODE and then apply a search time extraction for the problematic fields.
auditMessage="(?P<auditMessage>.+?)",