Yes. I'm not talking about space, I'm talking about quotes. For example, if part of your event was cs4=SVCHOST SUSPICIOUS "PARENT" PROCESS (I don't care if that makes sense as such, it's just abo...
See more...
Yes. I'm not talking about space, I'm talking about quotes. For example, if part of your event was cs4=SVCHOST SUSPICIOUS "PARENT" PROCESS (I don't care if that makes sense as such, it's just about syntax) Your regex will turn it into cs4="SVCHOST SUSPICIOUS "PARENT" PROCESS" And Splunk will extract only the part up to the second or third quote. That's why I don't like CEF - it's troublesome to manipulate. Because if you try to manually extract fields using regex anchoring on the equal sign, you end up trying to make sure it doesn't break if your equal sign is in the value of the field. (I'm not even sure CEF properly handles such situation; don't remember).