Hi, I'm trying to find a good way to handle a situation with logs from CheckPoint URL filter and Application Control.
They contain the relevant URL's in the `resource` field. The field separater is by default the pipe character '|'.
However some of the logentries contain URLs tha themselves contain pipes that are escaped.
This is an example from the raw log from lea-loggrabber:
http://fonts.googleapis.com/css?family=Roboto Condensed:400,300,700\|Open Sans:400,300,600,700\|Roboto:400,100,300,500,700\|Cuprum:400,700
The problem is that Splunk parses the pipe as a field separator. ANy suggestion son how to prevent this?
I've tried to just replace the text with SEDCMD, but I haven't been able to get that to work so far.
So any suggestions would be appreaciated :-)
Thanks
↧