Key value pair... in a key value pair

adepasquale · ‎11-05-2020

Assume I have this key value pair in splunk

uri_query=“client=safari&source=hp&ei=5k-kX56GMdGpytMPu7asyA0&q=random+search&oq=random+search&gs_lcp=ChFtb2JpbGUtZ3dzLXdpei1ocBADMgUIABDJAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAA6CAgAELEDEIMBOgIILjoICC4QsQMQgwE6BQguELEDOgUIABCxAzoICAAQsQMQyQM6BAgAEApQ1xNY6yNg-iVoAHAAeACAAUKIAY8GkgECMTOYAQCgAQGwAQA&sclient=mobile-gws-wiz-hp”

the uri parameters could be in any order. If I want to search for a specific value I’m forced to do something like

| search uri_query=“*sclient=mobile-gws-wiz-hp*”

this is very slow for obvious reasons

if I run

| search sclient=mobile-gws-wiz-hp

This is very fast, but includes results where this value might be in the refer field rather than the uri_query field.

is there a better way to do these needle in a haystack searches?

richgalloway · ‎11-05-2020

Here's a kludgy, untested way to parse the uri_query field.

... | eval oldraw=_raw
| eval _raw=uri_query
| extract pairdelim="&" kvdelim="="
| eval _raw=oldraw
| search sclient="mobile-gws-wiz-hp"
...

---
If this reply helps you, Karma would be appreciated.

Key value pair... in a key value pair

field extraction

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Key value pair... in a key value pair

field extraction

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES