Solved: Regex help involving double quote

kmaron · ‎06-12-2017

I have a whole bunch of these and I need what comes after ?desktop= and before the "

- for this particular log I need UnderwritingICM

10.181.8.169 - E009239 [12/Jun/2017:10:41:53 -0400] "POST /navigator/jaxrs/plugin?repositoryId=UNDERWRITINGTARGETOS&caseId=70C09C5C-0100-C614-92F3-BEEC330CE13F&plugin=ICMAPIPlugin&action=CaseService&desktop=UnderwritingICM HTTP/1.1" 200 33444 "https://www.aoins.com/navigator/?desktop=UnderwritingICM" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 112093 2848 33869 48 + 10.7.44.250 PRDFNCM102.aoins.com:15108 -

However I can't seem to get that piece. I either get nothing or I get everything. I can't seem to get the regex to stop at the double quote.

When I put my regex into regex101 to test it this works

\?desktop=(?<DesktopName>.*?)"

but when I try to use that in Splunk I get unbalanced quotes

I tried a single slash to escape the quote and it comes back with nothing

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\""

I tried a double slash and it tells me I have unbalanced quotes

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\\""

And three gave me the same as one so ... I'm stumped.

Can anyone help with this?

cmerriman · ‎06-12-2017

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"

View solution in original post

mattiaslindblom · ‎06-12-2017

Seems to work ok here.

If I try that with ?desktop=UnderwritingICM" in an eval and using your first rex on that field, it works just fine.

kmaron · ‎06-12-2017

index=index host="host" | rex field=_raw "\?desktop=(?.*?)""

This gives me unbalanced quotes

index=index host="host" | rex field=_raw "\?desktop=(?.*?)"

This gives me the field name of DesktopName but the 'value' is blank
1 Value, 75.064% of events

Reports
Top values Top values by time Rare values
Events with this field
Values Count %

19,413 100%

cmerriman · ‎06-12-2017

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"

kmaron · ‎06-12-2017

I knew it was going to be something simple. Thank you!!!!

mattiaslindblom · ‎06-12-2017

To me, your first rex looks fine, though, and should work.

kmaron · ‎06-12-2017

None of them worked. They either error for unbalanced quotes or they list the field name under Interesting Fields but with a blank value.

gauravsplunkarc · ‎06-12-2017

.* is greedy. use \S+ instead.

gauravsplunkarc · ‎06-12-2017

I would use this instead.
\?desktop=(?\S+?)"

GauravSplunxter · ‎06-12-2017

I downvoted this post because the command is not showing up properly on the page after i click submit.

kmaron · ‎06-12-2017

does it work if you post it as code?

kmaron · ‎06-12-2017

That gives me unbalanced quotes

| rex field=_raw "\?desktop=(?\S+?)""

GauravSplunxter · ‎06-12-2017

formatting went bad.. I meant
| rex field=_raw "\?desktop=(?\S+)"

GauravSplunxter · ‎06-12-2017

it's happening again.

Regex help involving double quote

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?