topic Re: How to search for specific words in URL in Splunk Enterprise Security

How to search for specific words in URL

ADCW7TQ — Tue, 29 Sep 2020 11:20:44 GMT

index=* youtube user | table _time, user, host, src, dest, bytes_in, bytes_out, url

This is my simple query. I would like to get result for some specific words from the observed youtube URL in results.

eg:

The above is the "result as per my query. How to do a specific word search in the URL? Like "movies", "keanu reeves" "trailer"

Just want to know, what kind of youtube URL the user has accessed.

somesoni2 — Sun, 09 Oct 2016 17:04:53 GMT

You can utilize the match function of where clause to search for specific keywords

index=* youtube user | table _time, user, host, src, dest, bytes_in, bytes_out, url | where match(url,"keenu") OR match(url,"movie") OR...

OR use the regular Splunk search filter like this

index=* youtube user (url=*keenu* OR url=*movie* OR...) | table _time, user, host, src, dest, bytes_in, bytes_out, url

felipecerda — Sun, 09 Oct 2016 22:51:54 GMT

If you want to know what the URLs contain you could also extract what the descriptions say using regex. Something like:

index=* youtube user | rex field=_raw "&description1=(?<desc1>.*),&" | table _time, user, host, src, dest, bytes_in, bytes_out, url, desc1

ADCW7TQ — Mon, 10 Oct 2016 08:09:29 GMT

Thanks!!!

However, i am getting the same result as before. But the 'desc1' column came blank in the result.

ADCW7TQ — Tue, 29 Sep 2020 11:20:39 GMT

Thanks a lot..

It works, addition to this query. May i get the answer for bytes_in & bytes_out in MB??

ADCW7TQ — Tue, 11 Oct 2016 07:13:33 GMT

Well, May i know how to use this regex query? As it as or i need to replace any words in the description part.

rex field=_raw "&description1=(?.*),&"