Splunk Search

Regex help involving double quote

kmaron
Motivator

I have a whole bunch of these and I need what comes after ?desktop= and before the "

- for this particular log I need UnderwritingICM

10.181.8.169 - E009239 [12/Jun/2017:10:41:53 -0400] "POST /navigator/jaxrs/plugin?repositoryId=UNDERWRITINGTARGETOS&caseId=70C09C5C-0100-C614-92F3-BEEC330CE13F&plugin=ICMAPIPlugin&action=CaseService&desktop=UnderwritingICM HTTP/1.1" 200 33444 "https://www.aoins.com/navigator/?desktop=UnderwritingICM" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 112093 2848 33869 48 + 10.7.44.250 PRDFNCM102.aoins.com:15108 -

However I can't seem to get that piece. I either get nothing or I get everything. I can't seem to get the regex to stop at the double quote.

When I put my regex into regex101 to test it this works

\?desktop=(?<DesktopName>.*?)"

but when I try to use that in Splunk I get unbalanced quotes

I tried a single slash to escape the quote and it comes back with nothing

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\""

I tried a double slash and it tells me I have unbalanced quotes

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\\""

And three gave me the same as one so ... I'm stumped.

Can anyone help with this?

0 Karma
1 Solution

cmerriman
Super Champion

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"

View solution in original post

0 Karma

mattiaslindblom
Explorer

Seems to work ok here.

If I try that with ?desktop=UnderwritingICM" in an eval and using your first rex on that field, it works just fine.

0 Karma

kmaron
Motivator

index=index host="host" | rex field=_raw "\?desktop=(?.*?)""

This gives me unbalanced quotes

index=index host="host" | rex field=_raw "\?desktop=(?.*?)"

This gives me the field name of DesktopName but the 'value' is blank
1 Value, 75.064% of events

Reports
Top values Top values by time Rare values
Events with this field
Values Count %

19,413 100%

0 Karma

cmerriman
Super Champion

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"
0 Karma

kmaron
Motivator

I knew it was going to be something simple. Thank you!!!!

0 Karma

mattiaslindblom
Explorer

To me, your first rex looks fine, though, and should work.

0 Karma

kmaron
Motivator

None of them worked. They either error for unbalanced quotes or they list the field name under Interesting Fields but with a blank value.

0 Karma

gauravsplunkarc
Explorer

.* is greedy. use \S+ instead.

0 Karma

gauravsplunkarc
Explorer

I would use this instead.
\?desktop=(?\S+?)"

0 Karma

GauravSplunxter
Explorer

I downvoted this post because the command is not showing up properly on the page after i click submit.

0 Karma

kmaron
Motivator

does it work if you post it as code?

0 Karma

kmaron
Motivator

That gives me unbalanced quotes

| rex field=_raw "\?desktop=(?\S+?)""

0 Karma

GauravSplunxter
Explorer

formatting went bad.. I meant
| rex field=_raw "\?desktop=(?\S+)"

0 Karma

GauravSplunxter
Explorer

it's happening again.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...