- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below the excerpt from my HTTP request and I'm trying to get the User-Agent value from it and so far not successful. Will appreciate any help.
This Splunk editor is removing the carriage return and line feed characters so below is the regex101 link.https://regex101.com/r/rdu8yE/1
Also attached is the screenshot of the HTTP request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like 4 backslashes to get two? Below worked. Thank you for your help.
User-Agent: (?<UserAgent>[^\\\\]*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like 4 backslashes to get two? Below worked. Thank you for your help.
User-Agent: (?<UserAgent>[^\\\\]*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex was very close. This worked for me using the one example:
User-Agent: (?<UserAgent>[^\\]*)If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error in 'rex' command: Encountered the following error while compiling the regex 'User-Agent: (?<UserAgent>[^\]*)': Regex: missing terminating ] for character class.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To use backslashes in a regex in SPL you have to escape them.
User-Agent: (?<UserAgent>[^\\\\\\]*)Yes, that's 6 backslashes to get two.
If this reply helps you, Karma would be appreciated.
