https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64976#M16056 <P>Sorry in the csv i have like this.</P> <P><CODE>BOTs useragent<BR /> Traverse *Traverse*<BR /> Capture *Capture*</CODE></P> Thu, 19 Sep 2013 01:06:07 GMT xvxt006 2013-09-19T01:06:07Z https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64972#M16052 <P>Hi,</P> <P>We would like to create a look up table based on some user agents. </P> <P>Mozilla/5.0 (compatible; Traverse/0.1; ABC 22175)<BR /> Mozilla/5.0 (compatible; Traverse/0.1; ABC 23457)<BR /> Mozilla/5.0 (compatible; Capture/0.4; ABC 56439)<BR /> Mozilla/5.0 (compatible; Capture/0.2; ABC 98123)</P> <P>I would like to group similar kind of requests in the look up table and save them into Field XXX. </P> <P>So field XXX should show <BR /> Traverse 2 requests<BR /> Catpure 2 requests</P> <P>So can i specify reg ex in the look up table as there will be multiple patterns which i would like to group them.</P> Tue, 17 Sep 2013 01:58:47 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64972#M16052 xvxt006 2013-09-17T01:58:47Z https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64973#M16053 <P>There is an app that provides a dynamic lookup for user agent strings; it is called <STRONG>TA-uas_parser</STRONG>. Download it from</P> <P><A href="http://apps.splunk.com/app/1007">http://apps.splunk.com/app/1007</A></P> <P>It's free. The user agent string can be very complex. I don't recommend that you build this yourself.</P> <P>If you really want to do it youself, you can use wildcards (regular expressions) in the input field of a lookup table.<BR /> See <A href="http://answers.splunk.com/answers/28566/how-to-use-wildcard-in-lookup-based-searches-and-alerts">How to use wildcards in a lookup</A> table for more info.</P> Tue, 17 Sep 2013 04:18:08 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64973#M16053 lguinn2 2013-09-17T04:18:08Z https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64974#M16054 <P>Thank you. I will try this.</P> Tue, 17 Sep 2013 22:27:35 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64974#M16054 xvxt006 2013-09-17T22:27:35Z https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64975#M16055 <P>Hi, i tried the match_type = WILDCARD(useragent) and then i have in the csv file (Look up file). <BR /> <CODE>BOTs useragent<BR /> Traverse *Traverse*<BR /> Capture *Capture*</CODE></P> <P>But i am not getting them grouped. One thing i want to mention is, i already have BOTs filed which extracts all the legitimate BOTs (which have +http://....). I want to add these others into the same field which does not have standard user agent (+http://.. format).</P> <P>Do you think it would work that way?</P> Thu, 19 Sep 2013 01:05:12 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64975#M16055 xvxt006 2013-09-19T01:05:12Z https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64976#M16056 <P>Sorry in the csv i have like this.</P> <P><CODE>BOTs useragent<BR /> Traverse *Traverse*<BR /> Capture *Capture*</CODE></P> Thu, 19 Sep 2013 01:06:07 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64976#M16056 xvxt006 2013-09-19T01:06:07Z https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64977#M16057 <P>i think it is not showing asterisks in the comments</P> Thu, 19 Sep 2013 01:10:17 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-specify-a-regex-in-a-lookup-table-to-group-similar/m-p/64977#M16057 xvxt006 2013-09-19T01:10:17Z