I have a file that is delimited by " so that is what I am using to extract the fields, however, some events have a field that contains the delimiter itself within it. How do I go about extracting this field, without Splunk breaking that field into several other fields?
Sample:
"src_ip" "auth_user" "time_stamp" "bytes_to_client" "req_line" "status_code" "media_type" "categories" "rep_level" "virus_name" "block_res" "Policy" "Proxy Port"
"1.1.1.1" "Joe123" "[23/Nov/2014:23:30:05 -0500]" "1511" "GET http://www.nbcudigitaladops.com/hosted/global.js HTTP/1.1" "200" "text/javascript" "Internet Services" "Unverified" "" "0" "AIU" "9090"
"1.2.2.8" "Jane123" "[25/Nov/2014:23:30:41 -0500]" "438" "GET http://www.bing.com/fd/ls/l?IG=de256505264d4eb181a8498ff8a3da90&Type=Event.PPT&DATA={"S":1256,"E":17... HTTP/1.1" "200" "image/gif" "Search Engines" "Minimal Risk" "" "0" "AIU" "9090"
It looks to me, based on your sample events, that space is the delimiter and quotation marks enclose each field.
It looks to me, based on your sample events, that space is the delimiter and quotation marks enclose each field.
Thanks, I actually went back and changed the delimiter back to space and I had to change the Character to use for quotes to Double Quotes instead of Auto. That seemed to do the trick.
Yes, I've also tried space, however, it is also included within some of the fields:
"GET http://www
"Search Engines"
"Minimal Risk"
Appreciate if you share the query format .