I am new to GROK and appreciate your help.
The goal is to put everything leading up to the word 'user-agent' to a fieldname "details" and everything after "user-agent" to a fieldname "user-agent".
The excerpt of the log:
details=Vulnerabilities Security Filter intercepted a malicious request, which includes a blocked pattern. 7240 Description: An '/etc/passwd' file is available through the web site. This file contains the systems users and passwords. (Severity: Medium)
_time=2022-10-22 15:29:22.849000,event_type=security,action=Blocked,directory=/search/page/,uri=/search/page/,appwallTimeStamp=1666466962853,srcIP=1.1.1.1,dstPort=54009,srcPort=23025,fqdn=abc.local,method=GET,module=Vulnerabilities,title=Pattern Violation Detected,application=App_abc.local,category=Misconfiguration,type=Security Misconfiguration,severity=High,transId=85534386,enrichmentContainer={"owaspCategory2017":"A6","contractId":"650d12bb-4c87-4004-9931-4c0d72424ec3","applicationId":"4c9c2b54-9cea-4eaf-9284-d44e2b6d682c","tenant":"869739c6-861f-4273-9170-9341e1106278","geoLocation":{"countryCode":"US"}},details=Vulnerabilities Security Filter intercepted a malicious request, which includes a blocked pattern.
7240
Description: An '/etc/passwd' file is available through the web site. This file contains the systems users and passwords. (Severity: Medium)
Src page: https://abc.local/search?brand-filter[]=5&price-filter=1&quality-filter=9
Authenticated as Public
,user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0,referer=https://sanehack.com/search?brand-filter[]=5&price-filter=1&quality-filter=9,cookie=__uzmd=1666395069; __uzme=9738; __uzmb=1666394960; __uzmc=24935161216593; __uzma=6958fc68-3440-4dd1-8912-2fca8b986c43; PHPSESSID=f032n0t8a3clail61ql2lcfbt7; visited_products=%2C64%2C72%2C34%2C170%2C92%2C147%2C121%2C35%2C71%2C160%2C39%2C111%2C60%2C48%2C52%2C1%2C105%2C99%2C62%2C183%2C132%2C63%2C28%2C43%2C66%2C53%2C126%2C197%2C209%2C203%2C204%2C205%2C206%2C200%2C201%2C195%2C185%2C191%2C193%2C194%2C187%2C189%2C180%2C165%2C176%2C178%2C171%2C174%2C167%2C169%2C161%2C164%2C145%2C135%2C157%2C159%2C151%2C153%2C146%2C149%2C142%2C144%2C137%2C139%2C125%2C115%2C110%2C133%2C134%2C127%2C129%2C122%2C124%2C117%2C119%2C112%2C114%2C100%2C85%2C108%2C102%2C104%2C91%2C94%2C96%2C98%2C86%2C88%2C89%2C76%2C56%2C46%2C77%2C78%2C79%2C82%2C68%2C70%2C75%2C57%2C59%2C65%2C49%2C51%2C55%2C38%2C42%2C45%2C31%2C33%2C21%2C11%2C27%2C30%2C23%2C25%2C17%2C20%2C13%2C15%2C7%2C10%2C3%2C5%2C,x-rdwr-port=51352,x-rdwr-port-mm-orig-fe-port=443,x-rdwr-port-mm=443
_time=2022-10-22 15:29:22.849000,event_type=security,action=Blocked,directory=/search/page/,uri=/search/page/,appwallTimeStamp=1666466962853,srcIP=1.1.1.1,dstPort=54009,srcPort=23025,fqdn=abc.local,method=GET,module=Vulnerabilities,title=Pattern Violation Detected,application=App_abc.local,category=Misconfiguration,type=Security Misconfiguration,severity=High,transId=85534386,enrichmentContainer={"owaspCategory2017":"A6","contractId":"650d12bb-4c87-4004-9931-4c0d72424ec3","applicationId":"4c9c2b54-9cea-4eaf-9284-d44e2b6d682c","tenant":"869739c6-861f-4273-9170-9341e1106278","geoLocation":{"countryCode":"US"}},details=Vulnerabilities Security Filter intercepted a malicious request, which includes a blocked pattern.
7240
Description: An '/etc/passwd' file is available through the web site. This file contains the systems users and passwords. (Severity: Medium)
Src page: https://abc.local/search?brand-filter[]=5&price-filter=1&quality-filter=9
Authenticated as Public
,user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0,referer=https://sanehack.com/search?brand-filter[]=5&price-filter=1&quality-filter=9,cookie=__uzmd=1666395069; __uzme=9738; __uzmb=1666394960; __uzmc=24935161216593; __uzma=6958fc68-3440-4dd1-8912-2fca8b986c43; PHPSESSID=f032n0t8a3clail61ql2lcfbt7; visited_products=%2C64%2C72%2C34%2C170%2C92%2C147%2C121%2C35%2C71%2C160%2C39%2C111%2C60%2C48%2C52%2C1%2C105%2C99%2C62%2C183%2C132%2C63%2C28%2C43%2C66%2C53%2C126%2C197%2C209%2C203%2C204%2C205%2C206%2C200%2C201%2C195%2C185%2C191%2C193%2C194%2C187%2C189%2C180%2C165%2C176%2C178%2C171%2C174%2C167%2C169%2C161%2C164%2C145%2C135%2C157%2C159%2C151%2C153%2C146%2C149%2C142%2C144%2C137%2C139%2C125%2C115%2C110%2C133%2C134%2C127%2C129%2C122%2C124%2C117%2C119%2C112%2C114%2C100%2C85%2C108%2C102%2C104%2C91%2C94%2C96%2C98%2C86%2C88%2C89%2C76%2C56%2C46%2C77%2C78%2C79%2C82%2C68%2C70%2C75%2C57%2C59%2C65%2C49%2C51%2C55%2C38%2C42%2C45%2C31%2C33%2C21%2C11%2C27%2C30%2C23%2C25%2C17%2C20%2C13%2C15%2C7%2C10%2C3%2C5%2C,x-rdwr-port=51352,x-rdwr-port-mm-orig-fe-port=443,x-rdwr-port-mm=443Preformatted text
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.