I have a whole bunch of these and I need what comes after ?desktop= and before the "
- for this particular log I need UnderwritingICM
10.181.8.169 - E009239 [12/Jun/2017:10:41:53 -0400] "POST /navigator/jaxrs/plugin?repositoryId=UNDERWRITINGTARGETOS&caseId=70C09C5C-0100-C614-92F3-BEEC330CE13F&plugin=ICMAPIPlugin&action=CaseService&desktop=UnderwritingICM HTTP/1.1" 200 33444 "https://www.aoins.com/navigator/?desktop=UnderwritingICM" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 112093 2848 33869 48 + 10.7.44.250 PRDFNCM102.aoins.com:15108 -
However I can't seem to get that piece. I either get nothing or I get everything. I can't seem to get the regex to stop at the double quote.
When I put my regex into regex101 to test it this works
but when I try to use that in Splunk I get unbalanced quotes
I tried a single slash to escape the quote and it comes back with nothing
| rex field=_raw "\?desktop=(?<DesktopName>.*?)\""
I tried a double slash and it tells me I have unbalanced quotes
| rex field=_raw "\?desktop=(?<DesktopName>.*?)\\""
And three gave me the same as one so ... I'm stumped.
Can anyone help with this?
index=index host="host" | rex field=_raw "\?desktop=(?.*?)""
This gives me unbalanced quotes
index=index host="host" | rex field=_raw "\?desktop=(?.*?)"
This gives me the field name of DesktopName but the 'value' is blank
1 Value, 75.064% of events
Top values Top values by time Rare values
Events with this field
Values Count %