Hi, I'm struggling to get a complete extraction on any fields that contain double quotes. The payload: 2021-05-25 07:59:04.000, auditId="17864172953", groups_groupId="4639", groupName="some group ...
See more...
Hi, I'm struggling to get a complete extraction on any fields that contain double quotes. The payload: 2021-05-25 07:59:04.000, auditId="17864172953", groups_groupId="4639", groupName="some group name", people_personId="625841", users_userId="152321", userLogin="field-removed", userStaffFlag="false", auditIP="111.222.333.444", auditMod="Module", auditMessage="Module: "mod1" is not present in a check, Module: "mod2" is not present in a check, Module: "mod3" is not present in a check, Module: "mod4" is not present in a check, Module: "mod5" is not present in a check, Module: "mod6" is not present in a check, Module: "mod7" is not present in a check, Module: "mod8" is not present in a check, Module: "mod9" is not present in a check, Module: "mod10" is not present in a check", auditDate="2021-05-25 07:59:04.0", auditType="info", auditRID="88827e1f-d157-46d5-b1b4-20b91d4440a4", auditMicroSeconds="0.0000" In this example, it's the "auditMessage" key that will not extract completely and stops at the first "Module: "<-- The REGEX (\w+)="(.*?)" Gets me most of the way there (regx101), but doesn't work in splunk. My Fu has failed me.