Splunk Search

Regex help involving double quote

kmaron
Motivator

I have a whole bunch of these and I need what comes after ?desktop= and before the "

- for this particular log I need UnderwritingICM

10.181.8.169 - E009239 [12/Jun/2017:10:41:53 -0400] "POST /navigator/jaxrs/plugin?repositoryId=UNDERWRITINGTARGETOS&caseId=70C09C5C-0100-C614-92F3-BEEC330CE13F&plugin=ICMAPIPlugin&action=CaseService&desktop=UnderwritingICM HTTP/1.1" 200 33444 "https://www.aoins.com/navigator/?desktop=UnderwritingICM" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" 112093 2848 33869 48 + 10.7.44.250 PRDFNCM102.aoins.com:15108 -

However I can't seem to get that piece. I either get nothing or I get everything. I can't seem to get the regex to stop at the double quote.

When I put my regex into regex101 to test it this works

\?desktop=(?<DesktopName>.*?)"

but when I try to use that in Splunk I get unbalanced quotes

I tried a single slash to escape the quote and it comes back with nothing

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\""

I tried a double slash and it tells me I have unbalanced quotes

| rex field=_raw "\?desktop=(?<DesktopName>.*?)\\""

And three gave me the same as one so ... I'm stumped.

Can anyone help with this?

0 Karma
1 Solution

cmerriman
Super Champion

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"

View solution in original post

0 Karma

mattiaslindblom
Explorer

Seems to work ok here.

If I try that with ?desktop=UnderwritingICM" in an eval and using your first rex on that field, it works just fine.

0 Karma

kmaron
Motivator

index=index host="host" | rex field=_raw "\?desktop=(?.*?)""

This gives me unbalanced quotes

index=index host="host" | rex field=_raw "\?desktop=(?.*?)"

This gives me the field name of DesktopName but the 'value' is blank
1 Value, 75.064% of events

Reports
Top values Top values by time Rare values
Events with this field
Values Count %

19,413 100%

0 Karma

cmerriman
Super Champion

try this:

| rex field=_raw "\?desktop=(?<DesktopName>\w+)"
0 Karma

kmaron
Motivator

I knew it was going to be something simple. Thank you!!!!

0 Karma

mattiaslindblom
Explorer

To me, your first rex looks fine, though, and should work.

0 Karma

kmaron
Motivator

None of them worked. They either error for unbalanced quotes or they list the field name under Interesting Fields but with a blank value.

0 Karma

gauravsplunkarc
Explorer

.* is greedy. use \S+ instead.

0 Karma

gauravsplunkarc
Explorer

I would use this instead.
\?desktop=(?\S+?)"

0 Karma

GauravSplunxter
Explorer

I downvoted this post because the command is not showing up properly on the page after i click submit.

0 Karma

kmaron
Motivator

does it work if you post it as code?

0 Karma

kmaron
Motivator

That gives me unbalanced quotes

| rex field=_raw "\?desktop=(?\S+?)""

0 Karma

GauravSplunxter
Explorer

formatting went bad.. I meant
| rex field=_raw "\?desktop=(?\S+)"

0 Karma

GauravSplunxter
Explorer

it's happening again.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...